The investigation, led by state attorneys general across the United States, focused on whether Uber had violated data breach notification laws by not informing consumers that their information had been compromised.

Rather than disclosing the breach when it occurred, Uber paid the hacker $100,000 through its bug bounty program, which financially rewards hackers for discovering and disclosing software flaws. The ride-hailing company convinced him to delete the data and stay quiet about it with a nondisclosure agreement.

The incident became public a year later, when Uber’s chief executive, Dara Khosrowshahi, announced it as a “failure” and fired the two employees who had signed off on the payment.

“Uber’s decision to cover up this breach was a blatant violation of the public’s trust,” Xavier Becerra, California’s attorney general, said in a statement. “The company failed to safeguard user data and notify authorities when it was exposed.”

Tony West, Uber’s chief legal officer, said the settlement was part of a larger effort inside Uber to remake the company’s image. He said the company recently hired a chief privacy officer and a chief trust and security officer.

“We know that earning the trust of our customers and the regulators we work with globally is no easy feat. After all, trust is hard to gain and easy to lose,” West said.

He added that the breach was disclosed to the public during his first day on the job. “Rather than settling into my new workspace and walking the floor to meet my new colleagues, I spent the day calling various state and federal regulators,” West said.

The $148 million settlement announced Wednesday will be divided between all 50 states and the District of Columbia.


“Companies in California and throughout the nation are entrusted with customers’ valuable private information. This settlement broadcasts to all of them that we will hold them accountable to protect that data,” Becerra said.

This article originally appeared in The New York Times.

Kate Conger © 2018 The New York Times