Car ride app, Uber, has agreed to pay $148 million (£112 million) to cover a data breach in 2016. The case was brought by 50 US States against Uber. The monies will be shared among the states based on the number of drivers that each has. Some have committed to paying compensation to the drivers, most have not. Importantly, NO customers will receive any compensation or even a credit for their data being lost.
Texas Attorney General Paxton said: “Instead of notifying its drivers of the data breach in a timely manner, Uber violated Texas law by concealing the incident for a full year. Withholding that information deprived many Texans the opportunity to protect themselves from identity theft and fraud – crimes with serious consequences for consumers and businesses.
“Today’s settlement ensures that Uber will follow the law in the future and sends a message that my office will go after companies that do not take seriously their legal obligations to protect the personal information of Texans.”
What is this all about?
Back in 2016, Uber suffered a major data breach. Details of over 57m users worldwide, including 600,000 drivers, were stolen. The then CEO, Travis Kalanik, and key members of the company’s security team concealed the breach. The decision was made to pay hackers $100,000 to delete the data. The case added to growing concerns over Kalanik and led to his being removed from his post. It also cost at least four members of the security team their jobs.
When the incident became public, 50 US States brought separate actions against Uber. Each state was seeking damages based on the number of Uber drivers it had registered. The cases were combined into this single case.
Inverse has created a spreadsheet that lists each state and its response to the judgement. Many of the entries also point to statements from the Attorney General of that state, the original court documents and the final settlement,
There are 17 states who have committed to making pay-outs at the moment. The average amount drivers can expect is $100. This leaves 8 states undecided and the remainder banking the money themselves. California, the biggest recipient of monies is splitting the money among its legal divisions.
What about other countries?
So far, the US is the only country to issue a formal fine against Uber. Other countries are likely to now take a closer look at the judgement and make their own decisions.
The UK ICO has been sitting on this case for some time. Its last update was 29 November 2017 when James Dipple-Johnstone said: “As part of our investigation we are still waiting for technical reports which should give full confirmation of the figures and the type of personal data that has been compromised.”
Will this lead to the ICO fining Uber? Will the case now be left to quietly away? The answer to both is unknown. The ICO press office is so busy that it is currently taking weeks to respond to enquiries.
Uber will hope that this is an end to this issue at least. It is currently dealing with a number of lawsuits and fines around the world. In the last month, for example, it has seen fines in Singapore and Denmark. It is also fighting cases in other countries such as India.
What does this mean
If the UK ICO does not take action against Uber there will be questions asked. Like other countries, it decided that the damage to customers was not enough to act immediately. But will it now act over driver data? If not, it may be that there will be a class-action lawsuit brought by UK drivers who will want a pay-out similar to the US. The problem is that the sum paid out is small and will likely be swallowed up by legal fees.
If this does become a worldwide issue than it could hit Uber hard. It has, at present, around 3 million drivers worldwide. Although the details of just 600,000 were lost and those seemed to be mainly US drivers, it will not want to see this case repeated globally. The final cost could be substantial.
CEO Dara Khosrowshahi is pushing for an IPO in 2019. He will want to have cleared as many legal challenges to the company as possible by then. He has overseen a significant change in attitude at the company, especially in the way it treats customers. The company has moved away from the policies of Kalanik that did so much damage to its reputation. Potential shareholders will want to know he has finally closed the book on past misdemeanours.
According to Ian Woolley, Ensighten’s Chief Revenue Officer: “Big fines are the tip of the iceberg for brands like Uber that conceal the truth from their customers following a security breach. The real cost is reputational damage. The new data economy demands trust and transparency between businesses and their customers.
“This is a wake-up call for all businesses to review their security strategy as a whole and ensure they address all vulnerabilities to prevent a future breach. Consumers’ data safety is paramount, and brands must put the right procedures in place to protect it.”