Pa. Uber drivers caught up in data breach to get $100 from settlement |

Pa. Uber drivers caught up in data breach to get $100 from settlement

Megan Guza
The Uber app on an iPad in Baltimore.

Pennsylvania Uber drivers whose personal data was compromised by the 2016 data breach at the ride-sharing company will receive a $100 payment as part of a settlement secured Wednesday, according to state Attorney General Josh Shapiro.

Those payments will total about $1.35 million and come from the $5.7 million that Uber must pay the Attorney General’s Office as part of the settlement, Shapiro said.

The rest will go toward Shapiro’s Public Protection Section and the Bureau of Consumer Protection to fund future investigations in the state.

Shapiro filed the lawsuit in March, months after it was revealed the company took more than a year to disclose a data breach that compromised the personal information of at least 13,000 drivers across the state.

“Uber violated Pennsylvania law by failing to put our residents on timely notice of this data breach,” Shapiro said in a statement. “Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year — and actually paid the hackers to delete the data and keep quiet.”

A spokeswoman for Uber referred to a blog post by Tony West, the company’s chief legal officer.

“Our current management team’s decision to disclose the incident was not only the right thing to do, it embodies the principles by which we are running our business today: transparency, integrity, and accountability,” West wrote. “An important component of living up to those principles means taking responsibility for past mistakes, learning from them, and moving forward.”

Uber disclosed the breach in November. The breach occurred in 2016 and affected 57 million people in the Uber system. As part of the settlement, Uber will pay $148 million to the office of Shapiro and 50 other attorneys general across the country who signed on to Shapiro’s lawsuit.

Other terms of the settlement include:

• Comply with Pennsylvania’s data breach and consumer protection law regarding protecting Commonwealth residents’ personal information and notifying residents in a timely manner of any data breach concerning their personal information.

• Take precautions to protect any user data Uber stores on third-party platforms outside of Uber.

• Implement stricter password policies for its employees to gain access to the Uber network.

• Develop and deploy an overall data security policy for all data that Uber collects about its users, including assessing any potential risks to the security of the data — and implementing any additional security measures as needed to best protect that data.

• Hire an outside, qualified third party to assess Uber’s data security efforts regularly and draft a report with recommended security improvements – which Uber is required to implement.

• Implement a corporate integrity program to ensure that Uber employees can bring any ethics concerns they have about any other Uber employees to the company, and that it will be heard.

Shapiro called the delayed notification “outrageous corporate misconduct.”

“Today’s settlement holds them accountable and requires real changes in their corporate behavior,” he said.

Megan Guza is a Tribune-Review staff writer. You can contact Megan at 412-380-8519, [email protected] or via Twitter @meganguzaTrib.

TribLIVE commenting policy

You are solely responsible for your comments and by using you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.