Uber will pay Washington state $5.79 million as part of a massive $148 million settlement reached with attorneys general in all 50 states and the District of Columbia.
Uber settled cases involving a 2016 data breach that exposed personal information of more than 57 million people worldwide. The company covered up the breach for more than a year and paid hackers to keep everything under wraps. About 13,000 drivers in Washington state were affected. They will receive $2.2 million of the settlement, amounting to $170 for each Uber driver affected.
Uber disclosed the breach in November under new CEO Dara Khosrowshahi. It was the first day on the job for Tony West, Uber’s chief legal officer.
“Rather than settling into my new workspace and walking the floor to meet my new colleagues, I spent the day calling various state and federal regulators to discuss the 2016 data incident the company had just disclosed,” West said in a blog post Wednesday.
Uber agreed to develop a more robust security program and share independent assessments of its effectiveness with government officials every two years for the next decade in the settlement. The agreement is part of Uber’s efforts to rehabilitate its image after a year of scandals plagued the ride-hailing giant.
“Our current management team’s decision to disclose the incident was not only the right thing to do, it embodies the principles by which we are running our business today: transparency, integrity, and accountability,” West said in the blog post. “An important component of living up to those principles means taking responsibility for past mistakes, learning from them, and moving forward.”
West will discuss his efforts inside Uber during next week’s GeekWire Summit in Seattle.
Washington Attorney General Bob Ferguson sued Uber for violating the state’s data breach notification law in 2017 before states joined together to pursue legal action. As a result, Washington received a larger share of the $148 million settlement than other states, according to Ferguson. Washington law requires companies to notify consumers and state officials of data breaches of personal information within 45 days.
“Uber kept this massive data breach secret for more than a year, and jeopardized the personal information of thousands of drivers,” Ferguson said in a statement. “Uber’s conduct was inexcusable and unlawful.”