Pa. sues Uber for waiting over a year to disclose massive data breach

Pennsylvania is seeking up to $13.5 million in damages from Uber after the ride-sharing platform suffered a data breach of driver and passenger data and did not disclose the information for over a year.

In late November, Uber Technologies Inc. admitted that 57 million driver and passenger accounts worldwide had been hacked. The company kept it secret after paying a $100,000 ransom.

“Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year — and actually paid the hackers to delete the data and stay quiet,” Pa. Attorney General Josh Shapiro said in a statement. “That’s just outrageous corporate misconduct, and I’m suing to hold them accountable and recover for Pennsylvanians.”

The breach impacted at least 13,500 Pennsylvania drivers who had their names and drivers license numbers stolen. The data, which did not included credit card or social security data information, could have been used to steal someone’s identity.

The lawsuit, filed in Philadelphia Court of Common Pleas, claims Uber violated the Pennsylvania Breach of Personal Information Notification Act, which requires notice to anyone impacted by a data breach within a “reasonable” time frame. Washington state and Chicago have also sued Uber.

In a statement, an Uber spokesman said the company was “surprised” Monday morning to be named in the complaint, but was cooperating with state investigations.

“While we make no excuses for the previous failure to disclose the data breach, Uber’s new leadership has taken a series of steps to be accountable and respond responsibly,” the spokesman said. “We investigated the incident, disclosed the circumstances to state and federal regulators, and reached out to state Attorneys General.”

We encourage respectful comments but reserve the right to delete anything that doesn't contribute to an engaging dialogue
Help us moderate this thread by flagging comments that violate our guidelines

Comment policy: comments are intended to be civil, friendly conversations. Please treat other participants with respect and in a way that you would want to be treated. You are responsible for what you say. And please, stay on topic. If you see an objectionable post, please report it to us using the "Report Abuse" option.

Please note that comments are monitored by staff. We reserve the right at all times to remove any information or materials that are unlawful, threatening, abusive, libelous, defamatory, obscene, vulgar, pornographic, profane, indecent or otherwise objectionable. Personal attacks, especially on other participants, are not permitted. We reserve the right to permanently block any user who violates these terms and conditions.

Additionally comments that are long, have multiple paragraph breaks, include code, or include hyperlinks may not be posted.

Load comments