Pennsylvania Attorney General Josh Shapiro filed a lawsuit against Uber after the company took more than a year to let users know it was victim of a major hack, CNet’s Alfred Ng and Dara Karr reported.
Think you have a lemon, click here to fill out a 60 second form.
“Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach,” Shapiro said in a press release. “Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year — and actually paid the hackers to delete the data and stay quiet.”
The online attackers got a hold of 25 million users’ information in the United States, 4.1 million of whom were drivers. The hacked data included names, email addresses, phone numbers and driver’s license numbers. About 600,000 driver’s license numbers were taken, but no credit card or Social Security numbers were obtained. Approximately 13,500 of the affected Uber drivers live in Pennsylvania, according to the lawsuit.
Shapiro can sue for $1,000 per violation under Pennsylvania law. In total, Shapiro’s office could look for $13.5 million from the car company.
The online attack happened in October 2016, but Uber didn’t alert the public until November 2017. The delay in notifying uses violated the state’s Breach of Personal Information Notification Act, which requires companies to let data breach victims know about the hack in a “reasonable” amount of time.
“When it learned about the 2016 Data Breach, Uber did not notify law enforcement authorities or consumers about the breach,” the lawsuit stated. “Instead, Uber paid the hackers at least $100,000 to delete the acquired consumer data and keep quiet about the breach.”
Shapiro said in a statement that Uber’s payoff was “outrageous corporate misconduct.”
Uber appointed a new chief executive officer, Dara Khosrowshahi, three months before the company disclosed the 2016 breach. Khosrowshahi said in a statement Uber is a different company now.
“While we make no excuses for the previous failure to disclose the data breach, Uber’s new leadership has taken a series of steps to be accountable and respond responsibly,” the company said in a statement. “While we dispute the accuracy of some of the characterizations in the Pennsylvania attorney general’s lawsuit, we will continue to cooperate with them and ask only that we be treated fairly.”
Tony West, Uber’s chief legal officer, joined the company three months ago and he stated he reached out to numerous state and federal regulators about data breach and promised the company would cooperate.
“I personally reached out to Attorney General Shapiro and his team in the same spirit a few weeks ago,” West said in an emailed statement. “While I was surprised by Pennsylvania’s complaint this morning, I look forward to continuing the dialogue we’ve started as Uber seeks to resolve this matter. While we do not in any way minimize what occurred, it’s crucial to note that the information compromised did not include any sensitive consumer information such as credit card numbers or Social Security numbers, which present a higher risk of harm than driver’s license numbers.”
Shapiro’s office took other reported breaches into consideration because the information obtained from the Equifax breach could be put with the stolen Uber information to help thieves commit identity theft.
“The more personal information these criminals gain access to, the more vulnerable the person whose information was stolen becomes,” Shapiro said.
Lemon law attorneys help their clients by dealing directly with the manufacturer on the clients’ behalf, working to promptly resolve the issue and get their clients back on the road. Thanks to the Magnuson-Moss Warranty Act, attorneys can seek their fees directly from the manufacturer, meaning a client can obtain legal counsel without having to pay attorneys’ fees directly out of pocket.