Pa. AG Shapiro Sues Uber Over Massive Data Breach
More than 13,500 drivers in Pennsylvania could be vulnerable to identity theft as a result of the incident, according to the lawsuit filed on Monday.
Pennsylvania Attorney General Josh Shapiro has sued Uber over a massive data breach that is estimated to have affected roughly 57 million passengers and drivers around the world – including at least 13,500 drivers in Pennsylvania.
The lawsuit claims the ride-sharing company violated the state’s data breach notification law, which requires organizations to notify customers impacted by a data beach within a “reasonable” time frame.
“Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach,” Shapiro said in a statement on Monday morning. “Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year – and actually paid the hackers to delete the data and stay quiet. That’s just outrageous corporate misconduct, and I’m suing to hold them accountable and recover for Pennsylvanians.”
According to state law, the AG’s office could seek up to $1,000 per violation, amounting to a total of $13.5 million.
JUST IN: Uber failed to protect their drivers’ personal information, covered up the data breach, then failed to timely notify the 13,500 affected PA Uber drivers as required by state law.
I sued Uber to hold them accountable and protect Pennsylvanians. pic.twitter.com/qtcGvEkiOV
— Josh Shapiro (@JoshShapiroPA) March 5, 2018
The AG’s office claims that the Bureau of Consumer Protection has enlisted 43 state attorneys general to investigate the breach since November. Deputy attorney general Timothy Murphy filed the lawsuit in the Philadelphia Court of Common Pleas on Monday morning. The suit marks the first time that Shapiro has sued under the data breach statute on consumers’ behalf.
Uber disclosed the breach in November, more than a year after the company allegedly became aware of the incident. The New York Times reported in November that hackers stole first and last names and drivers’ license numbers, then asked the company for $100,000 ransom in exchange for deleting the information. Sources close to the incident told the newspaper that the company paid the ransom, then tracked down the hackers and pushed them to sign nondisclosure agreements.
In a statement, a spokesperson for Uber said the company “investigated the incident, disclosed the circumstances to state and federal regulators, and reached out to state Attorneys General, including Attorney General Shapiro, to express Uber’s desire to cooperate fully with any investigations.”
“While we dispute[s] the accuracy of some of the characterizations in the Pennsylvania Attorney General’s lawsuit, we will continue to cooperate with them and ask only that we be treated fairly,” the spokesperson added.
The AG’s Office said another information breach that occurred around the same time – the Equifax breach, which the office is also investigating – could make people especially susceptible to identity theft. That breach affected nearly 148 million Americans and at least 5.5 million Pennsylvanians.
“The more personal information these criminals gain access to, the more vulnerable the person whose information was stolen becomes,” Shapiro said.
The office is asking consumers who believe they may have been affected by the Uber breach to file a complain with the Bureau of Consumer Protection at 1-800-441-2555 or email scams@attorneygeneral.gov.