Uber has agreed to pay out $148m (£113m) after covering up a data breach affecting 57 million riders and drivers.
The payment will be shared among the US government and 50 states, and represents the largest privacy settlement of its kind.
In November last year, CEO Dara Khosrowshahi revealed the ride-hailing company had failed to disclose the breach to regulators, and had paid hackers $100,000 to delete the stolen data.
“None of this should have happened, and I will not make excuses for it,” Khosrowshahi said in a statement at the time.
The breach took place in 2016 when founding CEO Travis Kalanick was still running the ride-hailing company. Two hackers had infiltrated its cloud-hosted database, harvesting the names, email address and phone numbers of 57 million users.
“Uber’s decision to cover up this breach was a blatant violation of the public’s trust. The company failed to safeguard user data and notify authorities when it was exposed. Consistent with its corporate culture at the time, Uber swept the breach under the rug in deliberate disregard of the law,” California Attorney General Xavier Becerra said in a statement.
Two of Uber’s security executives were dismissed in light of the breach. The company has since hired Ruby Zefo as chief privacy officer and Matt Olsen as chief trust and security officer.
“We know that earning the trust of our customers and the regulators we work with globally is no easy feat. After all, trust is hard to gain and easy to lose,” said Uber’s chief legal officer Tony West in a statement.
“We’ll continue to invest in protections to keep our customers and their data safe and secure, and we’re committed to maintaining a constructive and collaborative relationship with governments around the world.”
The company is yet to settle lawsuits with drivers, riders and three US states in relation to the breach.
“While this settlement is directly related to the incident at Uber, its impact extends well beyond one company,” said Tripwire’s vice president Tim Erlin. “A successful lawsuit with a meaningful financial impact reminds other organisations about the full range of cybersecurity risks. Financial settlement and fines are part of the risk equation when weighing out the costs and benefits of cybersecurity.”