Pa. sues Uber for waiting over a year to disclose massive data breach

Pennsylvania is seeking up to $13.5 million in damages from Uber after the ride-sharing platform suffered a data breach of driver and passenger data and did not disclose the information for over a year.

In late November, Uber Technologies Inc. admitted that 57 million driver and passenger accounts worldwide had been hacked. The company kept it secret after paying a $100,000 ransom.

“Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year — and actually paid the hackers to delete the data and stay quiet,” Pa. Attorney General Josh Shapiro said in a statement. “That’s just outrageous corporate misconduct, and I’m suing to hold them accountable and recover for Pennsylvanians.”

The breach impacted at least 13,500 Pennsylvania drivers who had their names and drivers license numbers stolen. The data, which did not included credit card or social security data information, could have been used to steal someone’s identity.

The lawsuit, filed in Philadelphia Court of Common Pleas, claims Uber violated the Pennsylvania Breach of Personal Information Notification Act, which requires notice to anyone impacted by a data breach within a “reasonable” time frame. Washington state and Chicago have also sued Uber.

In a statement, an Uber spokesman said the company was “surprised” Monday morning to be named in the complaint, but was cooperating with state investigations.

“While we make no excuses for the previous failure to disclose the data breach, Uber’s new leadership has taken a series of steps to be accountable and respond responsibly,” the spokesman said. “We investigated the incident, disclosed the circumstances to state and federal regulators, and reached out to state Attorneys General.”