SAN FRANCISCO – Uber agreed Wednesday to pay $148 million to settle cases in 50 states related to a 2016 data breach that affected 50 million global customers and 7 million drivers.
While data breaches at big companies have become the norm, Uber's stood out for two reasons: then-CEO Travis Kalanick and his senior leadership paid the hackers responsible for the breach $100,000 to keep quiet and destroy the data, then decided to wait a year before publicly disclosing the incident.
Settling claims from attorneys general in every state and the District of Columbia was a way for current CEO Dara Khosrowshahi to reinforce the message of a public campaign to clean up Uber's frat-boy reputation.
The breach was only disclosed in November 2017, a few months after ex-Expedia CEO Khosrowshahi took the wheel of the ride-hailing giant and ordered an internal investigation of the breach.
After discovering the breach, Khosrowshahi fired chief security officer Joe Sullivan and Craig Clark, a senior lawyer who reported to Sullivan. Uber's investigation determined that no customer or driver data had actually been abused by the hackers.
The breach began when attackers accessed Github.com, a website used by software engineers, and obtained login credentials there for information stored on an Amazon Web Services account controlled by Uber, Bloomberg said. In that account they found an archive containing rider and driver data.
Uber's rapid sprint from San Francisco startup in 2009 to global mobility solution was abruptly hobbled in early 2017 when former engineer Susan Fowler wrote a blog post describing a company where sexist behavior went unchecked. That, coupled with disclosures of business practices that skirted the law, led to Kalanick's demise.
“Uber’s decision to cover up this breach was a blatant violation of the public’s trust," California Attorney General Xavier Becerra said in a statement. "Consistent with its corporate culture at the time, Uber swept the breach under the rug in deliberate disregard of the law. ... This settlement broadcasts to all of them that we will hold them accountable to protect that data.”
Uber chief legal officer Tony West wrote in a blog post that his first day on the job last year, in fact, was spent making calls related to the data breach.
"Our current management team’s decision to disclose the incident was not only the right thing to do, it embodies the principles by which we are running our business today: transparency, integrity, and accountability," West wrote. "An important component of living up to those principles means taking responsibility for past mistakes, learning from them, and moving forward."
As part of the terms of the settlement, Uber also has agreed to maintain more robust security practices led by a security officer who reports to its board of directors, comply with state laws with regard to safeguarding consumer information, disclose any data security incidents quarterly for two years and maintain a Corporate Integrity Program that includes a hotline to report misconduct and institute annual code of conduct training.
Contributing: Elizabeth Weise
Follow USA TODAY reporter Marco della Cava: @marcodellacava