Uber to pay £113 million to settle 2016 data breach

Following the disclosure last year of the 2016 Uber data breach that Uber desperately tried to hide, Uber has agreed to pay £113 million to settle legal action brought by drivers, customers and states over the breach which exposed data of 57 million customers and drivers.

Uber’s chief legal officer Tony West said in a statement released on Wednesday that the agreement was with the attorneys general of all 50 states and the District of Columbia to resolve their legal inquiries on this matter.

The breach

In October 2016 a massive breach affecting 57 million Uber customers and drivers was discovered by the company, but instead of acknowledging the breach Uber paid £75000 to the hackers in exchange for deleting the data and keeping the breach quiet. In effect hiding the breach from the regulators and all affected customers.

This hidden data breach by the ride-sharing firm included vast quantities of personal data from driver and customer accounts globally: names, email addresses as well as mobile phone numbers. Including the data of approximately 2.7 million user accounts in the UK.

It took a year, but in November 2017, Uber came forward with some details of the breach and admitted their mistake of not disclosing the breach at the time of discovery.

The outcome

In addition to the financial settlement, Uber has also vowed to change how it operates to prevent any similar recurrence. Going forward, Uber will also need to submit routine reports on security incidents to regulators.

In the same statement by chief legal officer Tony West, he said ‘We know that earning the trust of our customers and the regulators we work with globally is no easy feat. After all, trust is hard to gain and easy to lose. We’ll continue to invest in protections to keep our customers and their data safe and secure, and we’re committed to maintaining a constructive and collaborative relationship with governments around the world’.

The Lesson

Financial settlement and fines, such as the settlement Uber has agreed to, demonstrate the expense incurred for not protecting customers’ information.

Attempting to hide a data breach can’t have a positive outcome for any party involved. Being open about customer data breaches is not only the morally correct thing to do but helps individuals to take the necessary steps to thwart further attacks or compromise as a result of a breach.

Unprotected data can be stolen in seconds, but the impact on customer confidence is long lasting and can take years to re-establish.