Attorney General Curtis Hill said Indiana will receive nearly $1.5 million of the $148 million Uber has agreed to pay to states after the ride-hailing company failed for a year to notify drivers that hackers had stolen their personal information.
Hill said Wednesday that $752,400 of Indiana’s share will be distributed to drivers affected by the breach. The state will provide each with a $100 payment.
Eligible drivers are those whose driver’s license numbers were accessed during the 2016 breach. Some drivers may no longer drive for Uber.
Hill said a settlement administrator will be appointed to provide notice and payment to eligible drivers. Details will be announced later.
Uber learned in November 2016 that hackers had gained access to the drivers’ personal information.
The federal settlement calls for Uber Technologies Inc. to pay $148 million in total to settle claims related to a large-scale data breach that exposed the personal information of more than 25 million of its U.S. users.
The settlement, spanning all 50 states and the District of Columbia, is the biggest data-breach payout in history and marks the most sweeping rebuke by regulators against the San Francisco-based company, which earned a reputation for skirting rules in its push to dominate the ride-hailing market.
The states’ agreement stemmed from data compromised in 2016 by hackers, who obtained 607,000 U.S. driver’s license numbers as well as tens of millions of consumer email addresses and phone numbers, a leak that Uber failed to disclose for more than a year after discovering the attack.
“This record settlement should send a clear message: we have zero tolerance for those who skirt the law and leave consumer and employee information vulnerable to exploitation,” said New York Attorney General Barbara Underwood in a statement Wednesday.
The penalty comes at a pivotal time for Uber chief executive Dara Khosrowshahi, who is laying the groundwork for a 2019 initial public offering while working to distance the brand from the controversial growth-at-all-costs approach established under his predecessor, co-founder Travis Kalanick.
Bloomberg News reported last November that Kalanick learned of the 2016 breach just a month after hackers stole the personal data on 57 million of Uber’s customers around the globe, including 25.6 million riders and drivers in the U.S. But the company concealed the breach from authorities and instead paid the hackers $100,000 to delete the stolen data and keep the incident quiet.
After the episode came to light, Uber ousted its chief security officer and disclosed the breach to the Federal Trade Commission, which had already reprimanded the company for a similar data breach from 2014.
“The commitments we’re making in this agreement are in line with our focus on both physical and digital safety for our customers, as exemplified by our recent announcement of a host of safety and security improvements and our recent hiring of experts like Ruby Zefo as Chief Privacy Officer and Matt Olsen as Chief Trust & Security Officer,” Uber Chief Legal Officer Tony West said in a statement Wednesday.
The nine-figure settlement is being distributed to the states rather than directly to those affected in the breach. In Iowa, for example, its $612,950 share of the settlement will go to the state’s Consumer Education and Litigation Fund. New York is receiving about $5.1 million. As part of the agreement, Uber also promised to improve its security policies and hire an outside party to monitor its data-privacy efforts and regularly report on necessary improvements.