Currently when there is a data breach, the source company is usually on the hook for nothing more than signing victims up for credit reporting for a year, a scheme that I would not be surprised is actually money making (e.g. providing thousands of great leads for a credit reporting agency has to be gravy). On the cost/benefit ratio, security of personal information just really doesn't matter in cases like this. There are some other companies, like Google, who would take a serious image hit, but for a pseudo-employer company like Uber there will be no ramifications.
It isn't surprising that they deprioritize security -- the market doesn't demand it.
It isn't surprising that they deprioritize security -- the market doesn't demand it.