California State Attorney General Xavier Becerra joined San Francisco District Attorney George Gascon on Sept. 26, to announce a $148 million settlement with Uber over allegations that the company tried to cover up a 2016 data breach.
During a news conference in San Francisco Wednesday morning, Becerra said the ride-hailing service company violated several state and federal laws when it tried to cover up the breach and then paid hackers $100,000 for their silence.
“In San Francisco, where innovation and building new technologies is a given, it transforms our economy and transforms our lives. The innovators, those people who make it possible, must remember that protecting privacy is not just the right thing to do, in California, it’s the law,” Becerra said.
Uber is accused of exposing 57 million customers and drivers to risk by failing to inform them about the data breach and then also failing to report it to authorities.
An independent investigation into Uber’s conduct found that the company allegedly failed to inform 174,000 California drivers of the breach, which exposed their personal information and their driver’s license numbers, Becerra’s office said.
The hackers allegedly were located in the U.S. and in Canada. The breach was allegedly never reported to authorities until it was uncovered in November 2017 during an internal review by Uber’s Board of Directors.
According to Becerra, of the $148 million settlement, California will receive $26 million. That amount will be divided between Gascon’s office and the California Department of Justice.
The settlement also includes a historic set of terms for Uber.
“For the first time in history, an AG’s office has required a company to implement privacy by design into its products. That means that Uber must integrate privacy considerations and protections into every phase of their products’ development and design,” Becerra said.
Other terms include that Uber maintain a hotline or method for employees to report misconduct and ethical concerns such as a violation of Uber’s code of conduct. Additionally, Uber will be required to develop a comprehensive information security program, including the appointment of an executive officer to report directly to Uber’s Board.
Uber must also report any data security incidents to the state on a quarterly basis for 2019 and 2020.
According to Gascon, his office first began investigating Uber in 2013, based on allegations that it was misleading customers and drivers about security precautions.
“This was clearly a violation of the law, a violation of people’s privacy and we want to make sure that Uber is held accountable,” he said.”But we also want to send a message to the industry: We will work with you, we will support you, we want you to do well, but we will never support any activity that is going to compromise the safety of our community and that’s going to compromise the privacy rights, not only of the consumer, but in this case, that of the driver as well.”
Gascon said that although his office is currently in litigation with Uber, he has seen a difference in the company’s leadership. Earlier this month, Gascon’s office partnered with Uber and Lyft for a citywide campaign about safety when using ride-hailing services.
“We have seen a marked difference in the leadership in Uber. Unfortunately, we worked with a prior leadership and it was not pleasant. It was very aggressive and a very unethical leadership,” he said. “We have seen a shift… We’re hoping that this is real and there will be real resolutions to the pending matters.”