Uber admitted last year that its former security officer and deputies had paid hackers $100,000 to destroy consumer data they had accessed and to keep the breach under wraps.
Over a year after the hack occurred, the company fired the employees who made the payment, publicly apologized, and promised to investigate, but for the Pennsylvania Attorney General, the company-led investigation was too little, too late.
Pennsylvania AG Josh Shapiro is now suing Uber under a state law that requires companies to warn consumers about data hacks within a reasonable time, though the law does not specify exactly how long that time frame is.
Data breach not disclosed for over a year
The names, email addresses and phone numbers of 50 million riders and seven million drivers were compromised in October 2016. However, Uber did not warn its customers or launch a public investigation until Bloomberg reported on the beach over a year later, in November 2017.
Among the seven million drivers, 600,000 of those also had their driver’s license numbers accessed, Uber told the news agency. .
“None of this should have happened, and I will not make excuses for it,” CEO Dara Khosrowshi told Bloomberg at the time. “We are changing the way we do business.”
The Pennsylvania AG’s office determined that approximately 13,500 drivers in the state had their driver’s license information accessed in the hack. Shapiro is seeking to penalize the company $1,000 for every person affected by the breach, bringing the potential fine to $13.5 million.
“Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year — and actually paid the hackers to delete the data and stay quiet,” Shapiro said in an announcement.
Uber’s new Chief Legal Officer Tony West told Recode that he was surprised by the lawsuit.
“While we do not in any way minimize what occurred, it’s crucial to note that the information compromised did not include any sensitive consumer information such as credit card numbers or social security numbers, which present a higher risk of harm than driver’s license numbers,” West told the site.
Drivers can find out if their license information was stolen by searching on the Uber website.