The breach—where 57 million customers’ and drivers’ names, email addresses, and phone numbers were compromised—wasn’t disclosed until November 2017.
As Ars reported previously, Uber paid hackers $100,000 to delete the data they had taken and not publicize the breach.
“Uber’s decision to cover up this breach was a blatant violation of the public’s trust,” California Attorney General Xavier Becerra said in a statement. “The company failed to safeguard user data and notify authorities when it was exposed. Consistent with its corporate culture at the time, Uber swept the breach under the rug in deliberate disregard of the law.”
The $148 million will be divided across all 50 states and the District of Columbia. California, which helped lead the settlement, will get $26 million. That amount will be divided between the California Attorney General’s Office and the San Francisco District Attorney’s Office.
“The settlement also includes additional terms to prevent future breaches and to reform Uber’s corporate culture,” Becerra’s office noted. “This settlement marks the first time the Attorney General has required a company to incorporate privacy-by-design into its products. Privacy-by-design describes a practice of integrating privacy considerations and protections into a product’s development and design.”
Uber is also required to report any “data security incidents” to states every quarter for the next two years.
“We know that earning the trust of our customers and the regulators we work with globally is no easy feat,” Uber Chief Legal Officer Tony West said in a statement posted to its website. “We’ll continue to invest in protections to keep our customers and their data safe and secure, and we’re committed to maintaining a constructive and collaborative relationship with governments around the world.”
The company still faces other lawsuits pertaining to this breach, notably from numerous drivers and the cities of Los Angeles and Chicago.
Uber declined to respond to Ars’ specific questions.