CHICAGO—Uber has agreed to pay $148 million and take steps to tighten data security, after the ride-hailing company failed for a year to notify drivers that hackers had stolen their personal information.
Illinois Attorney General Lisa Madigan announced the settlement on Sept. 26, between Uber Technologies Inc. and all 50 states and the District of Columbia.
“Uber completely disregarded Illinois’ breach notification law when it waited more than a year to alert people to a serious data breach,” Madigan said.
Madigan said that although Uber is now taking appropriate steps, “the company’s initial response was unacceptable. Companies cannot hide when they break the law.”
Uber learned in November 2016 that hackers had accessed personal data, including driver’s license information, for roughly 600,000 Uber drivers in the U.S. The company acknowledged the breach in November 2017, saying it paid $100,000 in ransom for the stolen information to be destroyed.
Tony West, chief legal officer for Uber, said the decision by current managers was “the right thing to do.”
“It embodies the principles by which we are running our business today: transparency, integrity, and accountability,” West said.
The hack also took the names, email addresses and cell phone number of 57 million riders around the world.
All 50 states and the District of Columbia sued Uber, saying the company violated laws requiring it to promptly notify people affected by the breach.