Pennsylvania’s attorney general sued Uber on Monday for allegedly violating the state’s data breach notification law by waiting more than a year to disclose an incident that compromised the personal information of 57 million users.
Uber discovered the breach in late 2016 but failed to disclose it until last November — well beyond the “reasonable” time frame allowed under Pennsylvania’s data breach law, according to state Attorney General Josh Shapiro.
“Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach,” said Mr. Shapiro, a Democrat. “Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year — and actually paid the hackers to delete the data and stay quiet. That’s just outrageous corporate misconduct, and I’m suing to hold them accountable and recover for Pennsylvanians.”
Hackers during the breach stole the personal information of over 57 million Uber users, including the driver’s license information of roughly 600,000 drivers, among them at least 13,500 from Pennsylvania, according to the ride-hailing company.
Uber has come under fire for acknowledging the incident in November 2017 more than a year after the fact and admitting to having paid the hackers to allegedly destroy the data stolen.
“While I was surprised by Pennsylvania’s complaint this morning, I look forward to continuing the dialogue we’ve started as Uber seeks to resolve this matter,” Tony West, Uber’s chief legal officer, said in a statement in response to Pennsylvania’s lawsuit.
“We make no excuses for the previous failure to disclose the data breach. While we do not in any way minimize what occurred, it’s crucial to note that the information compromised did not include any sensitive consumer information such as credit card numbers or social security numbers, which present a higher risk of harm than driver’s license numbers,” Mr. West said.
At least 43 states are currently investigating the Uber breach, Mr. Shapiro’s office said Monday. Lawsuit have previously been filed by Washington state’s attorney general, Bob Ferguson, as well as cities including Los Angeles and Chicago.
Pennsylvania law allowed for the attorney general’s office to seek up to $1,000 in fines per violation.
Forty-eight states — all but South Dakota and Alabama — currently have legislation in place with respect to disclosing data breaches. Democrats in the Senate Commerce Committee reintroduced legislation in December that carries prison time for corporate executives caught deliberately concealing data breaches, citing at the time the Uber breach in particular.
• Andrew Blake can be reached at ablake@washingtontimes.com.
Please read our comment policy before commenting.