Uber Technologies was handed a lawsuit from Pennsylvania Attorney General (AG) Josh Shapiro on Monday (March 5) over charges it violated the state’s data breach notification law.
In a press release, the AG’s office said Uber knew for more than a year that it had been hit by a data breach that could have impacted its 57 million customers and drivers but failed to disclose knowledge of it to the public. Reports have surfaced that Uber even paid the hackers $100,000 to keep the breach quiet.
“Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach,” Attorney General Shapiro said in the press release. “Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year — and actually paid the hackers to delete the data and stay quiet. That’s just outrageous corporate misconduct, and I’m suing to hold them accountable and recover for Pennsylvanians.”
According to Shapiro, at least 13,500 Pennsylvania Uber drivers were impacted by the breach, with their first and last names and drivers’ license numbers stolen by hackers. Under Pennsylvania’s data breach notification law, Uber was required to notify those impacted within a reasonable timeframe, which it failed to do. Under the Pennsylvania Breach of Personal Information Notification Act, the AG’s office can seek remedies of up to $1,000 for each violation. With at least 13,500 Uber drivers from the state impacted, the AG can seek civil penalties of as much as $13.5 million from the ridesharing company.
In addition to violating the breach notification law, the AG’s office said Uber also violated the Pennsylvania Unfair Trade Practices and Consumer Protection Law.
“The more personal information these criminals gain access to, the more vulnerable the person whose information was stolen becomes,” Attorney General Shapiro said. “That’s why my Bureau of Consumer Protection is not only taking action in the Uber breach today — we are also leading a national investigation into the Equifax breach.”