Ride-hailing service Uber agreed to pay a $148 million penalty over a massive 2016 data breach which the company concealed for a year, the company and state officials announced Wednesday.
The agreement stems from a breach affecting some 57 million Uber riders and drivers disclosed by the California company, prompting litigation that was eventually joined by officials from the 50 U.S. states and the District of Columbia.
"New Yorkers deserve to know that their personal information will be protected -- period," New York Attorney General Barbara Underwood said in a statement.
"This record settlement should send a clear message: we have zero tolerance for those who skirt the law and leave consumer and employee information vulnerable to exploitation."
Uber learned of the breach in November 2016 involving personal information on riders and drivers, nearly half in the United States.
According to officials, Uber paid data thieves $100,000 to destroy the swiped information -- and remained quiet about the breach for a year.
The company said in a statement the agreement is part of an effort to live up to its standards of transparency and accountability after a series of embarrassing missteps.
"The commitments we're making in this agreement are in line with our focus on both physical and digital safety for our customers," Uber's chief legal officer Tony West said.
"We know that earning the trust of our customers and the regulators we work with globally is no easy feat ... We'll continue to invest in protections to keep our customers and their data safe and secure, and we're committed to maintaining a constructive and collaborative relationship with governments around the world."
Illinois Attorney General Lisa Madigan said her office would oversee a fund of $5.1 million that would pay each driver from the state $100, and seek to locate those who may no longer be driving for Uber.
"While Uber is now taking the appropriate steps to protect the data of its drivers in Illinois and across the country, the company's initial response was unacceptable," Madigan said. "Companies cannot hide when they break the law."
Officials said Uber would be required to improve its security practices, with an independent outside review of data security.
Uber disclosed the data breach last November shortly after Dara Khosrowshahi took over as chief executive and the ride-hailing giant sought to move past a series of allegations on misconduct and unethical business practices.
The company reached an agreement with the U.S. Federal Trade Commission on the breach that called for improved security and audits but no financial penalty.
