Pennsylvania Suing Uber Over 2016 Data Breach

Ride sharing company took more than a year to notify customers

Back in 2016, Uber was the target of a cyber attack involving the exposure of personal information belonging to 57 million people. It took Uber over a year to publicly report the attack, after paying the hackers a $100,000 extortion fee. Now, two years after the incident, the state of Pennsylvania is suing Uber for not immediately reporting the breach.

Attorney General Josh Shapiro released a statement, "Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year — and actually paid the hackers to delete the data and stay quiet. That's just outrageous corporate misconduct, and I'm suing to hold them accountable and recover for Pennsylvanians."

The particular law Uber is accused of violating is the Pennsylvania Breach of Personal Information Notification Act. Under it, companies are required to notify those impacted by a data breach within a “reasonable amount of time”. The thirteen months between October 2016’s breach and November 2017’s disclosure aren’t what most would consider reasonable. Under Pennsylvania law, Shapiro could seek $13.5 million in penalties.

“Under Pennsylvania law, Shapiro could seek $13.5 million in penalties.”

Uber provided a statement to Engadget, "While we make no excuses for the previous failure to disclose the data breach, Uber's new leadership has taken a series of steps to be accountable and respond responsibly. We investigated the incident, disclosed the circumstances to state and federal regulators, and reached out to state Attorneys General, including Attorney General Shapiro, to express Uber's desire to cooperate fully with any investigations. While we dispute the accuracy of some of the characterizations in the Pennsylvania Attorney General's lawsuit, we will continue to cooperate with them and ask only that we be treated fairly."

Pennsylvania is only the first state to file suit against Uber. As many as 43 more states are investigating, which makes more lawsuits likely. Uber recently announced a venture into the medical transit market with a service for patients to get to and from doctor’s appointments, but right now, Uber has a bit of a public trust problem.