Pa. Uber drivers caught up in data breach to get $100 from settlement
Pennsylvania Uber drivers whose personal data was compromised by the 2016 data breach at the ride-sharing company will receive a $100 payment as part of a settlement secured Wednesday, according to state Attorney General Josh Shapiro.
Those payments will total about $1.35 million and come from the $5.7 million that Uber must pay the Attorney General’s Office as part of the settlement, Shapiro said.
The rest will go toward Shapiro’s Public Protection Section and the Bureau of Consumer Protection to fund future investigations in the state.
Shapiro filed the lawsuit in March, months after it was revealed the company took more than a year to disclose a data breach that compromised the personal information of at least 13,000 drivers across the state.
“Uber violated Pennsylvania law by failing to put our residents on timely notice of this data breach,” Shapiro said in a statement. “Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year — and actually paid the hackers to delete the data and keep quiet.”
A spokeswoman for Uber referred to a blog post by Tony West, the company’s chief legal officer.
“Our current management team’s decision to disclose the incident was not only the right thing to do, it embodies the principles by which we are running our business today: transparency, integrity, and accountability,” West wrote. “An important component of living up to those principles means taking responsibility for past mistakes, learning from them, and moving forward.”
Uber disclosed the breach in November. The breach occurred in 2016 and affected 57 million people in the Uber system. As part of the settlement, Uber will pay $148 million to the office of Shapiro and 50 other attorneys general across the country who signed on to Shapiro’s lawsuit.
Other terms of the settlement include:
• Comply with Pennsylvania’s data breach and consumer protection law regarding protecting Commonwealth residents’ personal information and notifying residents in a timely manner of any data breach concerning their personal information.
• Take precautions to protect any user data Uber stores on third-party platforms outside of Uber.
• Implement stricter password policies for its employees to gain access to the Uber network.
• Develop and deploy an overall data security policy for all data that Uber collects about its users, including assessing any potential risks to the security of the data — and implementing any additional security measures as needed to best protect that data.
• Hire an outside, qualified third party to assess Uber’s data security efforts regularly and draft a report with recommended security improvements – which Uber is required to implement.
• Implement a corporate integrity program to ensure that Uber employees can bring any ethics concerns they have about any other Uber employees to the company, and that it will be heard.
Shapiro called the delayed notification “outrageous corporate misconduct.”
“Today’s settlement holds them accountable and requires real changes in their corporate behavior,” he said.
Megan Guza is a Tribune-Review staff writer. You can contact Megan at 412-380-8519, [email protected] or via Twitter @meganguzaTrib.