Pennsylvania AG sues Uber over 2016 data fail

Not much brotherly love in this Philly court case

By Shaun Nichols in San Francisco


Uber has been hit with a lawsuit over its failure to disclose the 2016 theft of its customer and driver records.

Pennsylvania state Attorney General Josh Shapiro says the dial-a-ride broker violated state data breach law when it failed to promptly file a report and notify both drivers and passengers of the loss of data.

Shapiro said the suit will seek at least $13.5m in damages.

According to the suit (PDF) filed with the Philadelphia County state district court, Uber violated the state's Consumer Protection Law when, in 2016, it paid a hacker six figures to keep quiet about the incident. Uber finally came forward about the matter in 2017.

Among those whose data was exposed by the attack were 13,500 Uber drivers in Pennsylvania.

By failing to notify those drivers of the breach, Shapiro believes Uber violated the 'Breach of Personal Information Notification Act', a provision that calls for any breach of personal information to be disclosed 'without unreasonable delay'.

"Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year – and actually paid the hackers to delete the data and stay quiet," said Shapiro.

"That’s just outrageous corporate misconduct, and I’m suing to hold them accountable and recover for Pennsylvanians."

The suit asks the court to levy damages against Uber of $1,000 for each of the 13,500 exposed drivers. The suit also seeks legal costs and restitution for the victims.

Uber chief legal officer Tony West, who has promised to cooperate with all state investigations, said in a statement he was "surprised" by Shapiro's lawsuit.

"I look forward to continuing the dialogue we’ve started as Uber seeks to resolve this matter. We make no excuses for the previous failure to disclose the data breach," West told The Register.

"While we do not in any way minimize what occurred, it's crucial to note that the information compromised did not include any sensitive consumer information such as credit card numbers or social security numbers, which present a higher risk of harm than driver’s license numbers." ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Uber hack: EU data protection bods launch taskforce

Justice commissioner slams biz for 'irresponsible' behaviour

EU's data protection bods join the party to investigate Uber breach told to sever ties with 'grubby, unethical' company

Google is still chasing the self-driving engineer that jumped ship to Uber

And has just won a bizarre argument to let arbitrators read a public document

Uber fined £385k by ICO for THAT hack of 57m customers' deets

Updated 2.7 million Brits caught up in 'serious failure of data security' says UK data watchdog

France next up behind Britain, Netherlands to pummel Uber with €400k fine over 2016 breach

Dara and pals told to hand over yet another cash wodge for hack it spent $100k covering up

Uber v Waymo latest: Google spinoff refused access to Uber internal doc hunt details

Wall of silence remains, albeit with a couple of holes

Uber-Lyft study author jams into reverse gear over abysmal pay claims

Dial-a-ride driving sucks... but sucks less than previously thought

Uber hopes to butter up Brit transport chiefs with lots of lovely data

App biz flings travel info at capital's transport regulator ahead of licensing decision

Canuck privacy commissioner to dig into Uber data breach

Formal investigation launched. Not the first, won't be the last

Uber sued by Uber for tarnishing the good name of Uber

Can't we all just be Uber-alles?