Uber has found itself in yet another legal battle.
On Monday, March 12, 2018, Pennsylvania Attorney General Josh Shapiro filed a lawsuit against the ride-sharing company based in San Francisco, California after it took over a year to notify its users about a major data breach. Hackers compromised the company’s data back in October 2016; however, the company did not inform its users until November 2017. The Attorney General called the company’s response to the data breach an “outrageous corporate misconduct”.
The major hack breached the data for more than 25 million users in the United States. Out of that total, 4.1 million were drivers for the company and at least 13,500 of those drivers resided in Pennsylvania. The hackers gained access to data that included names, email addresses, phone numbers, and driver’s license numbers. While no credit card or Social Security numbers were compromised, approximately 600,000 driver’s licenses were breached.
Under Pennsylvania law, the Attorney General can sue for $1,000 per violation, amounting to a potential judgment of $13.5 million for Uber.
As stated in the lawsuit, Uber violated Pennsylvania’s Breach of Personal Information Notification Act, which entails that companies must notify users affected by data breaches in a timely manner. Uber did not inform law enforcement or its users about the hack, but as the lawsuit says, the company instead “paid the hackers at least $100,000 to delete the acquired consumer data and keep quiet about the breach.”
Uber Faces Potential $13.5 Million Lawsuit from Pennsylvania Attorney General Over Data Breach, Tech Crunch (March 05, 2018)
Commonwealth of Pennsylvania v. Uber Technologies, Civil Action Complaint, March 2, 2018
Photo Credit: Shutterstock.com