Pennsylvania Is Taking Uber to Court Over Delayed Notification of 2016 Hack
Uber is being sued by the Pennsylvania Attorney General Josh Shapiro for taking over a year to notify users of its 2016 hack. Over 50 million riders’ and 7 million drivers’ data was affected. Now, Shapiro has filed a lawsuit against the ride-hailing company that could cost it tens of millions of dollars in fines.
“Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach,” Shapiro said in a statement. The data breach impacted 13,500 Uber drivers in the state according to the AG’s office. The stolen data included users’ names, email addresses, phone numbers and driver’s license numbers.
Uber eventually came forward after over a year, reporting this breach in November last year.
“None of this should have happened, and I will not make excuses for it,” the troubled company’s new CEO, Dara Khosrowshahi, had said at the time. “We are changing the way we do business.”
However, this time the company might have to pay millions of dollars in fines as the Pennsylvania Breach of Personal Information Notification Act requires companies to disclose breaches within a “reasonable amount of time.” Shapiro said in a press release it was an “outrageous corporate misconduct” that instead of informing its consumers, the company paid up hackers to buy their silence.
“Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year – and actually paid the hackers to delete the data and stay quiet.” Shapiro
Considering there are approximately 13,500 affected drivers in the state, according to CNET, the AG can sue $1,000 for each violation, totalling $13.5 million.
The lawsuit also alleges that the company’s conduct violated the Pennsylvania Unfair Trade Practices and Consumer Protection Law. Shapiro is one of the 43 state Attorneys General who are currently investigating Uber’s 2016 data breach.
In its own statement, Uber continues to play the “we are now a new company” card under the new leadership. “While we make no excuses for the previous failure to disclose the data breach, Uber’s new leadership has taken a series of steps to be accountable and respond responsibly,” an Uber spokesperson said. “While we dispute the accuracy of some of the characterizations in the Pennsylvania attorney general’s lawsuit, we will continue to cooperate with them and ask only that we be treated fairly.”