Uber Agreed to Pay a Record $148 Million to Settle Accusations that it Intentionally Concealed a Major 2016 Data Breach
Uber Technologies, Inc. (Uber) agreed to pay a record $148 million to settle accusations that it intentionally concealed a 2016 data breach that exposed the personal information of 57 million riders and drivers. Uber reached agreement without trial or adjudication of any issue of fact or law, and without admission of any facts alleged or liability of any kind. In many respects, Uber’s alleged handling of the data breach highlights what not to do upon discovering a cyberattack.
According to reports, in November 2016, hackers notified security officials at Uber that they had stolen user information, which included names, email addresses, mobile phone numbers, and drivers’ license information. After providing proof of the massive data breach, the hackers demanded Uber pay a ransom to delete the data and not disclose the breach. Uber ultimately paid the hackers $100,000 to conceal the breach.
In the spring of 2017, Uber’s Board of Directors retained a law firm to investigate Uber’s security team in the wake of unrelated litigation involving the alleged theft of trade secrets related to self-driving cars. The investigators subsequently discovered the breach and ransom payment. Uber didn’t provide notice of the breach until November 2017, a year after the breach. The company later fired the two executives that approved the ransom payment.
The massive data breach and untimely disclosure prompted investigations by the Office of the New York Attorney General, along with numerous other state attorneys general. The recent settlement is the result of a multi-state probe that includes all 50 states, and the District of Columbia. In addition to the multi-million-dollar fine, the settlement requires Uber to adopt model data breach notification and data security practices and a corporate integrity program for employees to report unethical behavior, and hire an independent third party to assess its data security practices.
“This record settlement should send a clear message: we have zero tolerance for those who skirt the law and leave consumer and employee information vulnerable to exploitation,” New York Attorney General Barbara Underwood said. “We’ll continue to fight to protect New Yorkers from weak data security and criminal hackers.”
Learning from Uber’s Cyber Mistakes
Uber has publicly stated that it has already started the process of overhauling its cyber and data security practices. As with other high-profile data breaches, there are a few lessons that other companies can learn from Uber’s mistakes:
Board of Directors Involvement: Board oversight is essential to a successful cybersecurity plan. Board members should regularly review policies and procedures for both protecting data and responding to a potential breach. In addition, security should not be an afterthought, but part of the conversation when planning a new marketing initiative, product, or service. Given that many board members are not cybersecurity experts, it is also essential to seek insight from technology and compliance professionals.
Oversight of Third-Party Vendors: If your vendors don’t take the same cybersecurity precautions, your data will still be at risk. It is imperative to carefully vet every company that has access to your data, including everyone from your cloud storage provider to your office cleaning company. Businesses should also require third-party vendors to meet minimum data security standards and also regularly monitor them for compliance. In most cases, this means conducting a yearly risk assessment to verify that third-parties are actually adhering to security protocols.
Prompt and Honest Breach Notification: Most companies will suffer a cyber incident at some point; what separates them is how they respond. The worst mistake a company can make is attempting to hide a data breach. While failing to notify the proper authorities can result in significant financial penalties, the public relations fallout with consumers is often much greater. When companies poorly handle data breaches, it also gives regulators additional ammunition when seeking to impose strict data privacy standards.
Creating a Compliance Culture: Creating a corporate culture that recognizes the importance protecting intellectual property and confidential business data can go a long way. As with any compliance program, it is essential to set the tone at the top. Everyone from senior management to entry-level workers should understand what to do in the event of a data breach. Practical employee cyber training is also important. By providing real life scenarios, employees can better appreciate their role in mitigating cyber risks.
As the potential risk and liability associated with data breaches continue to grow, businesses must be proactive. Consulting with attorneys knowledgeable in cybersecurity risk analysis and mitigation can help businesses of all sizes navigate the process.
If you have questions, please contact us
If you have any questions or if you would like to discuss the matter further, please contact me, Fernando M. Pinguelo, or the Scarinci Hollenbeck attorney with whom you work, at 201-806-3364.
Smart Contract Legal Issues: Drafting Agreements for Blockchain
Smart contracts feature a unique blend of legal agreement and technical code. This innovation has the potential to reshape how business is conducted. At the same time, smart contract legal issues around enforceability, jurisdiction, identity, and compliance are common. The legal framework for these self-executing agreements is still evolving. What Are Smart Contracts? Smart contracts, […]
Are Stay Interviews the Key to Retaining Top Talent?
Retaining top talent continues to be one of the greatest challenges facing employers today. Even in an employer’s market, the loss of a key employee can disrupt operations and result in significant costs. While compensation plays a role, long-term retention often depends on workplace culture, communication, and employee engagement. One increasingly popular strategy for improving […]
Secured transactions form the backbone of a wide range of business dealings, including business loans, mortgages, and inventory financing. Because the stakes are often high and relatively minor oversights can have drastic consequences, lenders and borrowers should thoroughly understand how to form an enforceable security agreement that protects their legal rights. What Is a Secured […]
Don’t Cash a “Paid in Full” Check Without Understanding the Legal Implications
Cashing a check marked “paid in full” can be a risky endeavor, particularly if you don’t fully understanding the legal implications. If you are owed more than the amount of the check you accept and deposit, you may waive your right to collect the full disputed amount. That is why you should consider either rejecting […]
Changes to Qualified Small Business Stock Will Benefit Startup Founders and Investors
The One Big Beautiful Bill Act of 2025 (OBBBA) significantly impacts federal taxes, credits, and deductions. A key change relating to Qualified Small Business Stock (QSBS) allows greater tax-free gains for investments in startups and other qualifying small businesses. Company founders and other investors should understand how the enhanced tax strategy works or risk missing […]
Corporate Consolidation and Antitrust Issues in Mergers
Corporate consolidation involves two or more businesses merging to become a single larger entity. The result is often a stronger and more competitive company that can better navigate today’s competitive marketplace. What Is Corporate Consolidation? Corporate consolidation closely resembles a basic merger transaction. The primary difference is that a consolidation creates an entirely new business […]
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Sign up to get the latest from our attorneys!
Explore What Matters Most to You.
Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.
Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.
Let`s get in touch!
Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!
