The $148 million settlement represents the largest multi-state data breach settlement in U.S. history, Grewal said.
It "resolves allegations that Uber failed to comply with state laws relating to the collection, maintenance and safeguarding of consumers’ personal information, and with state data breach notification laws."
Hackers stole the personal identifications of millions of Uber riders worldwide -- including names, e-mail addresses and mobile phone numbers -- as well as the names and driver’s license numbers of 600,000 or so Uber drivers.
Roughly 16,000 of those drivers were in New Jersey, Grewal said.
The data breach occurred in November 2016, but Uber didn't disclose it for a year, he noted.
“This is a significant settlement for New Jersey residents and for Uber users everywhere -- not only because the payout is historic," the attorney general said, "but because it requires that Uber adopt new policies and procedures that will more effectively safeguard the personal information of its riders and drivers in the future.
“We’re also sending a signal to other companies that ignoring consumers’ privacy rights comes with a stiff financial penalty.”
Among other terms of the settlement, Uber must:
- Take precautions to protect any user data that Uber stores on third-party platforms outside of Uber;
- Use strong password policies for its employees to gain access to the Uber network;
- Develop and implement a robust data security policy for all the user personal information that Uber maintains, including assessing potential risks to the security of the data and assessing whether there are any additional security measures needed beyond what Uber is doing to protect the data. Uber is also required to designate a Security Executive to oversee its data security policy;
- Hire an independent, qualified third party to assess Uber’s data security efforts on a regular basis and draft a report with any recommended security improvements. and
- Develop and implement a corporate integrity program to ensure that Uber employees can raise any concerns they have about any misconduct, ethical concerns or violations of the company’s policies, cultural norms or code of conduct.
It all began when anonymous hackers acquired Uber’s data by gaining access to one of the company’s private workspaces (hosted on a third-party software development platform known as GitHub) and obtained login credentials that enabled their access to an Amazon Web Services account utilized by the company.
Uber paid the hackers $100,000 to delete the data and keep the breach confidential, Grewal said.
Then, in August 2017, a new CEO took over at Uber.
After learning of the breach, the CEO hired a data forensics company to conduct an internal investigation and analysis. Soon after, Uber began notifying law enforcement agencies -- and eventually drivers -- of the breach.
New Jersey Deputy Attorney General Elliott M. Siebers and former Deputy Attorney General Russell M. Smith, Jr. within the Affirmative Civil Enforcement Practice Group in the Division of Law, handled the case for the state.
Click here to follow Daily Voice Wyckoff-Franklin Lakes and receive free news updates.