Uber is facing another lawsuit over the massive 2016 data breach. This time, it’s from Pennsylvania Attorney General Josh Shapiro, who alleges Uber violated the state’s data breach notification law.
Shapiro specifically alleges Uber violated the Pennsylvania Breach of Personal Information Notification Act, which requires companies to notify people impacted by a data breach within a reasonable amount of time. That specific law enables the Attorney General’s office to seek up to $1,000 for each violation.
In Pennsylvania, Shapiro says at least 13,500 Uber drivers were affected. That means Shapiro can seek up to $13.5 million from Uber.
“While we make no excuses for the previous failure to disclose the data breach, Uber’s new leadership has taken a series of steps to be accountable and respond responsibly,” an Uber spokesperson said in a statement to TechCrunch. “We investigated the incident, disclosed the circumstances to state and federal regulators, and reached out to state Attorneys General, including Attorney General Shapiro, to express Uber’s desire to cooperate fully with any investigations. While we dispute the accuracy of some of the characterizations in the Pennsylvania Attorney General’s lawsuit, we will continue to cooperate with them and ask only that we be treated fairly.”
As previously reported, Uber did not notify the attorney general’s office until November 21, 2017, more than a year after Uber first discovered the breach. And before Uber reported the breach, the company paid off hackers to destroy the data.
“Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach,” Shapiro said in a press release. “Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year – and actually paid the hackers to delete the data and stay quiet. That’s just outrageous corporate misconduct, and I’m suing to hold them accountable and recover for Pennsylvanians.”
In total, the breach affected some 57 million riders and drivers. That affected group included 50 million riders and 7 million drivers, and about 600,000 driver license numbers were included in the breach.
This is not the first lawsuit Uber is facing over the data breach. In November, Washington State Attorney General Bob Ferguson filed a multimillion-dollar consumer protection lawsuit against the transportation company.
Ferguson’s lawsuit, which sought penalties for up to $2,000 per violation, alleges Uber violated Washington’s data breach law by failing to notify those affected, as well as the attorney general’s office, within an appropriate amount of time.
That same month, Chicago and Cook County’s state attorney sued Uber over the data breach.
“Since starting on this job three months ago, I’ve spoken with various state and federal regulators in connection with the data breach pledging Uber’s cooperation, and I personally reached out to Attorney General Shapiro and his team in the same spirit a few weeks ago,” Uber Chief Legal Officer Tony West said in a statement to TechCrunch. “While I was surprised by Pennsylvania’s complaint this morning, I look forward to continuing the dialogue we’ve started as Uber seeks to resolve this matter. We make no excuses for the previous failure to disclose the data breach. While we do not in any way minimize what occurred, it’s crucial to note that the information compromised did not include any sensitive consumer information such as credit card numbers or social security numbers, which present a higher risk of harm than driver’s license numbers. I’ve been up front about the fact that Uber expects to be held accountable; our only ask is that Uber be treated fairly and that any penalty reasonably fit the facts.”