Pennsylvania AG sues Uber over data breach
The first large-scale action to enforce the commonwealth's data breach notification law took place Monday when Pennsylvania Attorney General Josh Shapiro filed a lawsuit against Uber Technologies Inc.
In the suit, Shapiro alleges that the ride-sharing company violated Pennsylvania’s data breach notification law and the Pennsylvania Unfair Trade Practices and Consumer Protection Law when it discovered that hackers had breached its database in late 2016.
Under Pennsylvania’s data breach notification law, Uber was required to notify affected persons of the breach within a reasonable time frame, but the company allegedly failed to do so, according to the attorney general.
"Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach," Shapiro said in a statement.
Hackers stole customers’ names, phone numbers and email addresses, as well as 600,000 driver’s license numbers belonging to Uber’s drivers. In Pennsylvania, information on 13,500 Uber drivers was stolen. All told the breach affected 57 million Uber users worldwide.
Instead of notifying affected customers and drivers within a reasonable amount of time, Shapiro said, Uber hid the incident for more than a year and paid hackers to delete the data and stay quiet. Uber reportedly paid hackers $100,000.
"That’s just outrageous corporate misconduct, and I’m suing to hold them accountable and recover for Pennsylvanians,” Shapiro said.
The lawsuit, he said, represents the first he has filed on consumers’ behalf under the state statute.
While individual drivers might have tried to cobble together claims, they would be unable to sue for violation of the data breach notification law, said Devin J. Chwastyk, chairman of the privacy and data security group of law firm McNees Wallace & Nurick LLC.
"This lawsuit says that the commonwealth is going to hold this corporation accountable and responsible for its action in this particularly egregious case," he said, adding that the move may make other organizations take data security more seriously.
Many states have very broad definitions in their data breach notification laws, Chwastyk said. In the commonwealth's law, social security, driver’s licenses and financial account numbers are all outlined.
Some states have expanded their laws beyond their initial scope. Chwastyk pointed to Illinois, which most recently added biometric information to its state law following a slew of complaints that involved tanning booths storing fingerprint information.
In the suit against Uber, the attorney general's office is seeking civil penalties that could total as high as $13.5 million.
Tony West, Uber's new chief legal officer, noted that prior to the announcement of the lawsuit, he had reached out to Shapiro.
"Since starting on this job three months ago, I’ve spoken with various state and federal regulators in connection with the data breach pledging Uber’s cooperation, and I personally reached out to Attorney General Shapiro and his team in the same spirit a few weeks ago. While I was surprised by Pennsylvania’s complaint this morning, I look forward to continuing the dialogue we’ve started as Uber seeks to resolve this matter," West said in an emailed statement. "We make no excuses for the previous failure to disclose the data breach. While we do not in any way minimize what occurred, it's crucial to note that the information compromised did not include any sensitive consumer information such as credit card numbers or social security numbers, which present a higher risk of harm than driver’s license numbers. I’ve been up front about the fact that Uber expects to be held accountable; our only ask is that Uber be treated fairly and that any penalty reasonably fit the facts.”
Since the breach was officially disclosed last fall, as many as 43 state attorneys general have conducted investigations on the matter, Shapiro noted.
The theft of drivers’ license information, Shapiro said, may leave persons vulnerable to identity theft, as thieves who gain access to the information use the information to establish phony credit card accounts and run up huge debts in consumers’ names.
During the same time as the Uber data breach, Equifax also experienced a substantial data breach that impacted around 5.5 million Pennsylvanians.
"The more personal information these criminals gain access to, the more vulnerable the person whose information was stolen becomes," Shapiro said. "That’s why my Bureau of Consumer Protection is not only taking action in the Uber breach today – we are also leading a national investigation into the Equifax breach."
People who may have been impacted should file a complaint with the Bureau of Consumer Protection at 1-800-441-2555 or email email@example.com.
Editor's note: This story has been updated from its original version with comments from Uber's chief legal officer.