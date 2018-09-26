SAN FRANCISCO (Reuters) - Uber Technologies Inc has settled with the top legal officers in all 50 U.S. states over a massive data breach that it failed to disclose in 2016, resolving one of the more significant embarrassments and legal tangles the ride-hailing company has suffered over the last couple of years.

State attorneys general said on Wednesday that Uber will pay $148 million to settle the matter, with payments distributed in varying amounts across the states and Washington, D.C.

The amount is precedent setting for attorneys general settlements in privacy cases. By comparison, the multi-state settlement with Target Corp (TGT.N) in 2017, over a data breach in which 41 million people had their data stolen, was just $18.5 million.

The settlement follows a 10-month investigation into a data breach that exposed personal data from around 57 million Uber accounts, including 600,000 driver’s license numbers. The terms also include changes to Uber’s business practices to prevent future breaches and to reform its corporate culture.

Uber will be required to report any data security incidents to states on a quarterly basis for the next two years, and implement a comprehensive information security program with an executive officer who advises executive staff and Uber’s board of directors.

“We know that earning the trust of our customers and the regulators we work with globally is no easy feat,” said Uber Chief Legal Officer Tony West. “We’ll continue to invest in protections to keep our customers and their data safe and secure, and we’re committed to maintaining a constructive and collaborative relationship with governments around the world.”

Uber’s new Chief Executive Dara Khosrowshahi disclosed the breach in November, more than a year after the company was hacked under the previous CEO. Uber paid the hackers $100,000 to destroy the stolen data, using its “bug bounty” program, which is designed to reward security researchers who report flaws in a company’s software, to make the payment.

Uber then chose not to report the matter to victims or authorities, the company acknowledged. Khosrowshahi has said the incident should have been disclosed to regulators at the time it was discovered in 2016.