Pennsylvania has filed a lawsuit against Uber, accusing the firm of violating the State’s breach notification law. The suit, filed yesterday, is one of several actions that the human transportation giant is currently facing as the result of allegedly waiting more than a year to inform the public of a significant data breach.
Uber disclosed last November that it suffered a major breach over a year earlier, and there appears to be evidence that the firm even paid hackers to keep quiet about the success of their attack. Since 2006, however, Pennsylvania has required companies operating in the State to notify anyone affected by a data breach within a “reasonable” amount of time, a standard that the State alleges Uber’s actions did not meet. As there are at least 13,500 Uber drivers in Pennsylvania whose private data (including names and drivers’ license numbers) may have leaked during the Uber breach and who were not informed for over a year about the potential compromise of their information, and because State law provides for fines rising up to $1,000 for each violation, Uber could potentially be on the on the hook for $13.5 million. In its suit, the State also claims that Uber violated its Unfair Trade Practices and Consumer Protection Law – which could result in the State seeking additional money as well.
“Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach,” Pennsylvania Attorney General Shapiro said. “Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year – and actually paid the hackers to delete the data and stay quiet. That’s just outrageous corporate misconduct, and I’m suing to hold them accountable and recover for Pennsylvanians.”
Uber’s delayed notification of the breach was also exploited by scammers who, among other things, tricked Uber customers into believing that they would receive a $50 credit towards rides on Lyft, Uber’s main competitor, in exchange for resetting their passwords after the breach – while, in reality, the passwords were not reset through the tainted process, but, instead, were captured by the criminals perpetrating the scam.