Uber pays US$148 million fine after data breach allegedly concealed

Uber Technologies has agreed to pay a US$146 million fine to American authorities and promised to tighten security to settle allegations it intentionally concealed a 2016 data breach in violation of state data breach notification laws.

The settlement, announced Wednesday, was reached with all 50 states and the District of Columbia, requires Uber to adopt model data breach notification and data security practices and a corporate integrity program for employees to report unethical behavior. It will also have to hire an independent third party to assess its data security practices.

“This record settlement should send a clear message: we have zero tolerance for those who skirt the law and leave consumer and employee information vulnerable to exploitation,” New York Attorney General Barbara Underwood said in a statement.

The fine will be distributed among the states. New York, for example, will receive US$5.1 million. Illinois will get US$8.5 million, and from that the state plans to give US$100 to each affected Uber driver.

According to a New York State release, in November 2016, hackers based in the United States and Canada secretly informed security officials at Uber that they had downloaded the personal information of 57 million riders and drivers, 25 million of whom were in the United States and 7.7 million of whom were drivers. The information stolen included names, email addresses, and mobile phone numbers; drivers’ license information pertaining to approximately 600,000 drivers nationwide was also stolen. After providing proof of the massive data breach, the hackers demanded “six figures” to delete the data and not disclose the breach. Uber ultimately paid the hackers US$100,000 to conceal the breach.

In the spring of 2017 Uber’s board of directors told a law firm to investigate Uber’s security team in the wake of unrelated litigation involving the alleged theft of trade secrets related to self-driving cars. As part of this inquiry, the law firm learned of the breach and ransom payment. Only then did the board hire a forensic firm to investigate the breach. Uber ultimately provided notice of the breach in late November 2017, a year after the breach.

Uber didn’t see a necessity to notify about 815,000 Canadian users at the same time they could have been affected by the breach until Alberta’s privacy commissioner ordered it last February to tell users in that province. According to CBC News, Uber then decided to tell all Canadians whose data was stolen about the incident.

Uber argued it didn’t have to notify users or drivers in Alberta despite the province’s privacy law which requires breach notification to potential victims.

The incident took place when Canada’s privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA) didn’t have a mandatory breach notification obligation. PIPEDA has since been amended and mandatory breach notification if there is real risk of significant harm to a potential victim begins Nov. 1.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now