- Dozens of states are now considering plans to keep net neutrality rules
- Court axes FCC robocall rule for being too broad
- YouTube Kids has videos on how reptilians rule the world, moon landing was fake
- Firefox, Edge, and Safari browsers fall at famous Pwn2Own hacking contest
- How a Norwegian comment section turned chaos into order—with a simple quiz
- Hackers are so fed up with Twitter bots they’re hunting them down themselves
- Potent malware that hid for six years spread through routers
- Twitter has suspended a number of accounts responsible for ‘tweetdecking’
- Senate bill meant to punish Equifax might actually reward it
- Mozilla experiment aims to reduce bias in code reviews
- Only half of those who paid a ransomware were able to recover their data
- Amazon, Google, others are developing private air-traffic control for drones
- Apple is acquiring the Netflix of magazines
Ride sharing company took more than a year to notify customers
Back in 2016, Uber was the target of a cyber attack involving the exposure of personal information belonging to 57 million people. It took Uber over a year to publicly report the attack, after paying the hackers a $100,000 extortion fee. Now, two years after the incident, the state of Pennsylvania is suing Uber for not immediately reporting the breach.
Attorney General Josh Shapiro released a statement, "Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year — and actually paid the hackers to delete the data and stay quiet. That's just outrageous corporate misconduct, and I'm suing to hold them accountable and recover for Pennsylvanians."
The particular law Uber is accused of violating is the Pennsylvania Breach of Personal Information Notification Act. Under it, companies are required to notify those impacted by a data breach within a “reasonable amount of time”. The thirteen months between October 2016’s breach and November 2017’s disclosure aren’t what most would consider reasonable. Under Pennsylvania law, Shapiro could seek $13.5 million in penalties.
“Under Pennsylvania law, Shapiro could seek $13.5 million in penalties.”
Uber provided a statement to Engadget, "While we make no excuses for the previous failure to disclose the data breach, Uber's new leadership has taken a series of steps to be accountable and respond responsibly. We investigated the incident, disclosed the circumstances to state and federal regulators, and reached out to state Attorneys General, including Attorney General Shapiro, to express Uber's desire to cooperate fully with any investigations. While we dispute the accuracy of some of the characterizations in the Pennsylvania Attorney General's lawsuit, we will continue to cooperate with them and ask only that we be treated fairly."
Pennsylvania is only the first state to file suit against Uber. As many as 43 more states are investigating, which makes more lawsuits likely. Uber recently announced a venture into the medical transit market with a service for patients to get to and from doctor’s appointments, but right now, Uber has a bit of a public trust problem.