Uber to pay $900,000 over delays in reporting a data breach that hit 2,500 people in Utah

FILE - This March 1, 2017, file photo shows an exterior view of the headquarters of Uber in San Francisco. Toyota will sink a half-billion dollars into Uber and work jointly with the ride-hailing giant to develop self-driving vehicles, a person briefed on the matter said Monday, Aug. 27, 2018. (AP Photo/Eric Risberg, File)

Uber will pay nearly $900,000 to Utah as part of a settlement agreement stemming from delays in reporting a data breach.

It’s part of a $148 million settlement involving all 50 states and the District of Columbia, the Utah attorney general’s office said in a Wednesday news release.

The ride-sharing service learned in November 2016 that hackers had gained access to drivers’ license information and other personal information about its users. The data breach involved 600,000 drivers nationwide, according to the attorney general’s office, including 2,500 from Utah.

Uber tracked down the hackers and “obtained assurances” that the information had been deleted — but the company failed to tell its customers about the breach, as required by state law, until a year later.

“I’m a fan of Uber,” Attorney General Sean Reyes said in a statement, “but that doesn’t keep us from doing our job. Protecting Utahns, their data, and identities is one of the top priorities of my office. Working with the Utah Department of Commerce and colleagues from other states, we were able to achieve a fair resolution without protracted litigation.”

Francine Giani, executive director for the Utah Department of Commerce, said in a statement that she hopes Uber’s case sends a message to other businesses that they must be swift in alerting the public when their information is compromised.

The settlement also requires Uber to take precautions to protect user data, use strong password policies for its employees and to hire an outside part to assess their security efforts on a regular basis, among other requirements.