The revelation that Uber concealed a major 2016 data breach affecting 57 million users and paid hackers to destroy the evidence is yet another PR nightmare from Uber’s darkest era, but it’s also a major problem when it comes to state laws around data breach disclosure practices. In light of Bloomberg’s report, the office of New York State Attorney General Eric Schneiderman confirmed to TechCrunch that it has opened an investigation into the incident.
The new investigation won’t be the first time that Uber has tangled with Schneiderman. Flaunting laws over the course of its aggressive pursuit of growth, Uber often ran into conflict with city and state legal authorities, and New York is no exception. The company reached a settlement with Schneiderman’s office in January 2016 over its abuse of private data in a rider-tracking system known as “God View” and its failure to disclose a previous data breach that took place in September 2014 in a timely manner.
As a result of the settlement, Uber was required to encrypt the geodata of its riders, employ a multi-factor authentication system to verify the identity of anyone accessing rider data and make other standard security enhancements to protect consumer privacy. Uber also agreed to pay a $20,000 fine for its failure to disclose the data breach. While that fine was hardly a bump in the road for such a massive tech company, the new security requirements imposed by the Attorney General offered a more robust reproach.
TechCrunch also reached out to the FTC about how it planned to handle news of the new Uber data breach, but the agency replied that it did not have a comment at this time. Earlier this year, Uber settled with the FTC around the “God view” tool and its failure to protect the private data of consumers in a previous data breach. Uber agreed to 20 years of privacy and security auditing as a result of the FTC settlement.
Given the New York Attorney General’s interest in the latest Uber scandal, it follows that Uber will likely be in the hot seat in its home state of California, where under Civil Code 1798.82 businesses are required to disclose data breaches affecting more than 500 state residents to the Attorney General “in the most expedient time possible and without unreasonable delay.” TechCrunch has reached out to the office of California Attorney General Xavier Becerra and we’ll update when we hear back.
Given how far Uber strayed beyond the legal protocols that protect consumer data — and the unsettling twist that it actually paid off its own attackers — it’s likely that we’ll hear much more from state and federal authorities as they investigate a repeat offender that just can’t seem to learn a lesson.