After Uber hack, Pa. officials want answers
A state senator and Pennsylvania's attorney general are among officials demanding answers from Uber after the company waited nearly a year to disclose a breach that compromised data belonging to more than 57 million customers and drivers.
Uber discovered in late 2016 that hackers had stolen customers' email addresses, phone numbers and names, as well as 600,000 driver's license numbers belonging to the ride-sharing service's drivers. The company reportedly paid the hackers $100,000 to destroy the data.
Uber did not disclose the incident to the public until Nov. 21, leaving affected riders and drivers, as well as government regulators, in the dark for nearly a year.
State Sen. Jay Costa (D-Allegheny) says that's a problem - and potentially a violation of Pennsylvania law.
"You’ve got individuals who believe the integrity of the data they provide is protected," Costa said. "It’s extremely important for folks to have trust in the entities they work with."
Costa wrote a letter last week to Pennsylvania Attorney General Josh Shapiro, asking his office to investigate if Uber violated the state's 2005 Breach of Personal Information Act. The act requires companies to report breaches to customers "without unreasonable delay."
Shapiro has since sent a letter to Uber's lawyers requesting more information. Unlike some other states, Pennsylvania has not yet joined a formal lawsuit or opened a formal investigation into the company.
Federal law has little to say about how companies notify customers about data breaches, leaving the onus on states to come up with their own protections.
Pennsylvania's laws, however, are somewhat vague and do not define what constitutes "an unreasonable delay" between when a company discovers a breach and when it reports that breach to the public.
Costa maintains that a year, in Uber's case, qualifies as an unreasonable amount of time to leave customers not knowing that criminals could have their information. He said he is pleased with Shapiro's decision to look into the company's response.
Since the breach became public, Uber has apologized for waiting so long to inform customers and has promised to review its procedures for responding to any future breaches. Company officials say they are not aware of any fraudulent activity tied to the compromised information.
In a statement emailed to the Business Journal, an Uber spokesperson said: "We take this matter very seriously and we are happy to answer any questions regulators may have. We are committed to changing the way we do business, putting integrity at the core of every decision we make, and working hard to regain the trust of consumers."
Uber is the second large company in recent months to draw fire for its response to a breach. Credit-reporting agency Equifax has received significant criticism since disclosing in September that it waited months to inform the public about a breach that compromised data belonging to more than 143 million people.