The state Attorney General Josh Shapiro said the company violated Pennsylvania’s Breach of Personal Information Notification Act.
Pennsylvania Attorney General Josh Shapiro is suing Uber for failing to disclose that the company had suffered a data breach that affected 600,000 drivers globally within a reasonable time.
AG Shapiro claims Uber, therefore, violated a state law that requires companies to notify consumers affected by data hacks within a reasonable time — it’s unclear what exactly that time frame is. There were 13,500 drivers whose first and last names and license numbers were accessed by hackers in 2016, Shapiro said. Uber did not disclose the breach until November 2017.
The fine for failing to notify consumers affected by a hack is $ 1,000 per person affected, which means Uber could be penalized for up to $ 13.5 million — a small sum for the ride-hail player. However, it’s a clear sign that the ghosts of the company’s past leadership are still haunting its new executive team.
Fresh off settling Alphabet’s self-driving lawsuit against the company, Uber’s new Chief Legal Officer Tony West continues to grapple with a number of legal issues that he inherited. As Uber prepares to go public in the next two years, buttoning up the many lawsuits levied against the company is more important than ever.
“Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach,” Shapiro said in a statement. “Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year — and actually paid the hackers to delete the data and stay quiet. That’s just outrageous corporate misconduct, and I’m suing to hold them accountable and recover for Pennsylvanians.”
Uber failed to notify some 57 million users that their data — including names, email addresses, phone numbers and driver’s license numbers — was exposed when hackers accessed that information in 2016, CEO Dara Khosrowhshahi revealed in November 2017.
After learning about the breach, Khosrowshahi opened an investigation into how the company handled the incident and fired two people who handled the response process, including Joe Sullivan, Uber’s chief security officer.
Instead of notifying users when the company learned of the breach in 2016, Uber paid the hackers $ 100,000 to delete the data they got ahold of and keep the hack quiet. A company spokesperson said, while they’re not making excuses for the failure to disclose the data breach, the new leadership has taken steps to “respond responsibly.”
“We investigated the incident, disclosed the circumstances to state and federal regulators, and reached out to state Attorneys General, including Attorney General Shapiro, to express Uber’s desire to cooperate fully with any investigations,” the spokesperson said in a statement. “While we dispute the accuracy of some of the characterizations in the Pennsylvania Attorney General’s lawsuit, we will continue to cooperate with them and ask only that we be treated fairly.”
Uber did not yet respond to questions about what specifically the company is disputing in the lawsuit.
As Recode first reported, at least five states launched investigations into Uber’s handling of the data breach within days after Khosrowshahi notified the public and consumers that it had happened. At the time, Pennsylvania did not respond to requests for comment.
The city of Chicago also filed a lawsuit against Uber in November 2017 for failing to disclose the data breach. The city has asked a judge to fine Uber $ 10,000 a day for each day that it violated the state’s ordinance on public information disclosure.
This is developing …