Pa. attorney general sues Uber over 2016 data breach

Pa. attorney general sues Uber over 2016 data breach
© Getty Images

The Pennsylvania attorney general is suing Uber for failing to disclose a massive 2016 data breach for more than a year, alleging that the company violated state law requiring that consumers be notified of such hacks within a “reasonable” amount of time.

Attorney General Josh Shapiro announced the lawsuit Monday, about four months after Uber revealed that 57 million people had been exposed in the breach a year before.

“Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach,” Shapiro said in a statement. “Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year — and actually paid the hackers to delete the data and stay quiet. That’s just outrageous corporate misconduct, and I’m suing to hold them accountable and recover for Pennsylvanians.”

ADVERTISEMENT
Uber has admitted to paying the hackers responsible $100,000 to destroy the stolen data and to not disclose the breach. The company’s new leadership revealed the hack in November as part of their efforts to turn over a new leaf following the ouster of the embattled former CEO and co-founder Travis Kalanick.
Uber's chief legal officer, Tony West, said that while he's surprised by the lawsuit, he intends to continue working with Shapiro's office and prosecutors around the country.
 
"We make no excuses for the previous failure to disclose the data breach," West said in a statement. "While we do not in any way minimize what occurred, it's crucial to note that the information compromised did not include any sensitive consumer information such as credit card numbers or Social Security numbers, which present a higher risk of harm than driver’s license numbers." 
 
"I’ve been up front about the fact that Uber expects to be held accountable; our only ask is that Uber be treated fairly and that any penalty reasonably fit the facts,” West added.

Shapiro’s office said Monday that 43 state attorneys general are investigating the data breach. Washington’s top prosecutor, Bob Ferguson, also announced a lawsuit against Uber for violating his state’s data breach notification law.

Pennsylvania’s law requires companies to notify consumers of data breaches within a reasonable amount of time after it’s been discovered. Shapiro can seek up to $1,000 in fines for every violation that occurred.

Updated at 3:22 p.m.