Attorney General Mike Hunter announced his office will give $100 to 4,655 Oklahoma Uber drivers who were affected by the 2016 data breach as part of a national settlement with the company.
The $148 million settlement comes after attorneys general from all 50 states and the District of Columbia investigated the California-based ride-sharing company for failing to report the breach within a reasonable amount of time, violating every state’s laws regarding data breaches and notification timelines.
Uber discovered the breach in November 2016 but did not notify its drivers and attorneys general until November 2017. The company also admitted that after discovering the breach, it paid off hackers to destroy the data.
Nationwide, the breach affected approximately 600,000 drivers. Hackers gained access to personal information on drivers, including drivers’ license information. There is no evidence the stolen data has been misused.
Hunter said the decision by his office to give money back to the drivers is the right thing to do.
“Uber broke Oklahoma law, violated the trust of its employees and then tried to hide it,” Attorney General Hunter said. “This type of corporate misconduct is unacceptable and my office is committed to holding companies that engage in actions like this accountable. Although it doesn’t appear the information of those affected has been compromised, we are compelled to give the victims this money for their troubles and to show we are here to fight on their behalf. I appreciate and applaud attorneys general from across the nation for joining together to stand up for the victims of this crime.”
States giving money back to drivers are working to appoint a settlement administrator to find affected drivers to provide them with the payment. The only drivers eligible are those whose driver’s license numbers were accessed during the breach. Details of the process will be announced at a later date.
The $100 amount going to each driver was agreed upon by the attorneys general who decided to give money back.
Oklahoma will receive $1.14 million of the settlement, to pay drivers and a settlement administrator. The funds will also go toward upholding state consumer protection laws to help Oklahomans prevent and recover from fraud, mediation of consumer complaints and taking legal action against individuals or businesses that engage in deceptive or fraudulent practices.
The investigation determined the only customer information compromised was usernames and email addresses. No personal identifying or bank account information was stolen. Only personal information is protected under security breach laws.
Uber has also agreed to the following:
- Comply with state data breach and consumer protection laws regarding residents’ personal information and notifying them in the event of a data breach concerning personal information;
- Take precautions to protect any user data Uber stores on third-party platforms outside of the company;
- Use strong password policies for its employees to gain access to its network;
- Develop a strong overall data security policy for all data that Uber collects about its users;
- Hire an outside qualified party to assess Uber’s data security efforts on a regular basis and draft a report with any recommended security improvements. Uber will implement any such security improvement recommendations;
- Develop and implement a corporate integrity program to ensure that Uber employees can bring any ethics concerns they have about any other Uber employees to the company, and that it will be heard.