Alaska Attorney General announces $148 million settlement with Uber over data breach
September 26, 2018
(Anchorage, AK)—Alaska Attorney General Jahna Lindemuth announced that she, along with the other 49 states and the District of Columbia, has reached an agreement with California-based ride-sharing company Uber Technologies, Inc. (Uber) to address the company’s one-year delay in reporting a data breach to its affected drivers.
Uber learned in November 2016 that hackers had gained access to some personal information that Uber maintains about its drivers, including drivers’ license information for approximately 600,000 drivers nationwide. Uber tracked down the hackers and obtained assurances that the hackers deleted the information. However, even though Alaska law requires a company to notify affected Alaska residents when their personal data, such as drivers’ licenses, has been breached, Uber failed to report the breach in a timely manner, waiting until November 2017 to let people know. Uber’s conduct also violated Alaska’s Unfair Trade Practices and Consumer Protection Act.
“In this technological age, data breaches are a real threat to personal security,” said Attorney General Lindemuth. “It is vital that companies like Uber let the public know as soon as possible, while they work to remedy the situation. Waiting a year before disclosing this type of information is unacceptable.”
As part of the nationwide settlement, Uber has agreed to pay $148 million to the states. Alaska will receive $584,000. In addition, Uber has agreed to strengthen its corporate governance and data security practices to help prevent a similar occurrence in the future.
Alaska will provide each Uber driver impacted in state with a $100 payment. Eligible drivers are those drivers whose driver’s license numbers were accessed during the 2016 breach. Some of those drivers may no longer be driving for Uber. Eligible Uber drivers will be contacted via mail and email to confirm their address before receiving any payment.
The settlement between the State of Alaska and Uber requires the company to:
- Comply with Alaska data breach and consumer protection law regarding protecting Alaska residents’ personal information and notifying them in the event of a data breach concerning their personal information;
- Take precautions to protect any user data Uber stores on third-party platforms outside of Uber;
- Use strong password policies for its employees to gain access to the Uber network;
- Develop and implement a strong overall data security policy for all data that Uber collects about its users, including assessing potential risks to the security of the data and implementing any additional security measures beyond what Uber is doing to protect the data;
- Hire an outside qualified party to assess Uber’s data security efforts on a regular basis and draft a report with any recommended security improvements. Uber will implement any such security improvement recommendations; and
- Develop and implement a corporate integrity program to ensure that Uber employees can bring any ethics concerns they have about any other Uber employees to the company, and that it will be heard.
All 50 states and the District of Columbia are participating in this multistate agreement with Uber.
For more information, see the following court documents:
- Consent Judgment - PDF (146K)
- Appendix A - PDF (161K)
- Appendix B - PDF (178K)
- Complaint - PDF (128K)
CONTACT: Assistant Attorney General Cynthia Franklin at email@example.com or 269-5200.
# # #