Uber agrees to pay $148 million in massive 2016 data breach settlement
27.9.2018 securityaffairs Incindent
Uber agrees to $148 million settlement with US States and the District of Columbia over the massive 2016 data breach that exposed personal data of 57 million of its users.
In November 2017, the Uber CEO Dara Khosrowshahi announced that hackers broke into the company database and accessed the personal data (names, email addresses and cellphone numbers) of 57 million of its users, the disconcerting revelation was that the company covered up the hack for more than a year.
The attackers accessed also the names and driver’s license numbers of roughly 600,000 of its drivers in the United States.
The hack happened in 2016, it was easy for hackers that according to a report published by Bloomberg, obtained credentials from a private GitHub site used by the company development team. The hackers tried to blackmail Uber and demanded $100,000 from the company in exchange for avoiding publish the stolen data.
Rather than to notify the data breach to customers and law enforcement as is required by California’s data security breach notification law, the chief of information security Joe Sullivan ordered to pay the ransom and to cover the story destroying any evidence. The payout was disguised as a bug bounty prize complete with non-disclosure agreements signed
In 2017 the FTC charged the company for deceiving customers with its privacy and data security practices.
The first settlement dated back August 2017, according to the FTC, the company failed to apply security measures to protect customers and drivers data, later while investigating the settlement, the Commission discovered that the company did not disclose the 2016 data breach before 2017.
“This is one of the most egregious cases we’ve ever seen in terms of notification; a yearlong delay is just inexcusable,” Illinois Attorney General Lisa Madigan told The Associated Press.
“And we’re not going to put up with companies, Uber or any other company, completely ignoring our laws that require notification of data breaches.”
According to the settlement, Uber is obliged to disclose any future breach affecting consumer data and to comply with state consumer protection laws for the protection of personal information. Uber will also hire a cyber security firm to assess the security posture of the firm and
The company also will hire an outside firm to conduct an assessment of Uber’s data security and improve it.
“Uber hired a longtime in-house counsel for intel as chief its privacy officer and selected a former general counsel to the National Security Agency and director of the National Counterterrorism Center as the company’s chief trust and security officer.” continues the AP.
The overall payout will be divided among the states based on the number of drivers in each state that have been impacted by the security breach. For example, the share for the Illinois state is $8.5 million, each affected driver will receive $100.