Updated| Pennsylvania’s attorney general announced Monday that he was suing Uber over a massive data breach in 2016 that the company didn’t reveal until November of last year.
“Uber knew for more than a year that a data breach potentially impacting 57 million passengers and drivers around the world had happened—but the company failed to disclose the breach until last November,” said Pennsylvania Attorney General Josh Shapiro’s office in a statement Monday.
Shapiro is suing the company for violating Pennsylvania’s data breach notification law. The state’s law requires that a company notify its customers in a “reasonable” amount of time that their data had been hacked. At least 13,500 of the state’s residents had personal data like their first and last name and driver’s license numbers taken by hackers, according to Shapiro’s office.
“Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year—and actually paid the hackers to delete the data and stay quiet. That’s just outrageous corporate misconduct,” said Shapiro in the statement.
It was revealed in November that Uber had paid the hackers $100,000 in order to delete the data. Uber did not report the breach to authorities at the time. The breach and subsequent ransom payment came under the regime of controversial former CEO and co-founder Travis Kalanick. He resigned as CEO in June 2017, but still sits on the company’s board of directors.
Uber’s new CEO, Dara Khosrowshahi, took over in August of last year and chose to disclose the hack. Khosrowshahi said at the time two people were fired over the incident.
“While we make no excuses for the previous failure to disclose the data breach, Uber's new leadership has taken a series of steps to be accountable and respond responsibly. We investigated the incident, disclosed the circumstances to state and federal regulators, and reached out to state Attorneys General, including Attorney General Shapiro, to express Uber's desire to cooperate fully with any investigations,” said Uber in a statement to Newsweek. “While we dispute the accuracy of some of the characterizations in the Pennsylvania Attorney General's lawsuit, we will continue to cooperate with them and ask only that we be treated fairly.”
Shapiro’s office is seeking $13.5 million in the lawsuit, $1,000 for each violation, the maximum under Pennsylvania’s law. The suit was filed in the Philadelphia Court of Common Pleas on Monday. The suit also claims that Uber violated the Pennsylvania Unfair Trade Practices and Consumer Protection Law.
Shapiro joins Washington Attorney General Bob Ferguson who filed a multimillion-dollar suit against the company last year.
In a statement to Newsweek Uber Chief Legal Officer Tony West said that it was important to note that “the information compromised did not include any sensitive consumer information such as credit card numbers or social security numbers, which present a higher risk of harm than driver’s license numbers.”
This story was updated to include a response from Uber and Uber's Chief Legal Officer.