Commonwealth of Virginia
Office of the Attorney General
202 North Ninth Street
For media inquiries only, contact:
Charlotte Gomer, Press Secretary
Mobile: (804) 512-2552
ATTORNEY GENERAL HERRING REACHES $148 MILLION SETTLEMENT WITH UBER OVER DATA BREACH
~ Virginia will receive $2,956,512.59 as its share from the settlement ~
RICHMOND (September 26, 2018) – Attorney General Mark R. Herring today announced that he, along with 49 other states and the District of Columbia, has reached an agreement with California-based ride-sharing company Uber Technologies, Inc. (Uber), which will provide Virginia with nearly $3 million in settlement money and address the company's intentional, one-year delay in reporting a data breach to its affected drivers
Uber learned in November 2016 that hackers had repeatedly accessed personal information that Uber maintains about its 600,000 drivers, including drivers' license information pertaining to approximately 19,335 drivers in Virginia. Uber tracked down the hackers and obtained assurances that the hackers deleted the information. However, Uber failed to report this breach for over a year, waiting until November 2017, even though it had triggered Virginia law requiring them to notify affected Virginia residents.
"In this day and age, when more and more personal information becomes digitized, it is imperative that companies like Uber keep this information safe and alert both customers and drivers immediately if there has been a security breach,” said Attorney General Herring. "This settlement sends a message to companies nationwide that we will not tolerate their failure to report breaches like this one and they need to put more security measures in place. My office and I will continue to make sure that consumers are protected and given the tools they need to keep their own information safe.”
As part of the nationwide settlement, Uber has agreed to pay $148 million to the states. Virginia will receive $2,956,512.59 as its share. In addition, Uber has agreed to strengthen its corporate governance and data security practices to help prevent a similar occurrence in the future.
The settlement between Virginia and Uber requires the company to:
- Comply with Virginia data breach law regarding protecting Virginia residents' personal information and notifying them in the event of a data breach concerning their personal information;
- Take precautions to protect any user data Uber stores on third-party platforms outside of Uber;
- Use strong password policies for its employees to gain access to the Uber network;
- Develop and implement a strong overall data security policy for all data that Uber collects about its users, including assessing potential risks to the security of the data and implementing any additional security measures beyond what Uber is doing to protect the data;
- Hire an outside qualified party to assess Uber's data security efforts on a regular basis and draft a report with any recommended security improvements. Uber will implement any such security improvement recommendations; and
- Develop and implement a corporate integrity program to ensure that Uber employees can bring any ethics concerns they have about any other Uber employees to the company, and that it will be heard.
This case was investigated and prosecuted by Attorney General Herring's Computer Crimes Section. For more information on Internet safety and how to protect your personal information please visit www.ag.virginia.gov.