Pennsylvania AG says Uber must pay up over data breach

Uber engaged in "outrageous corporate misconduct" when it waited more than a year to disclose a massive hack, the attorney general says.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Dara Kerr Former senior reporter
Dara Kerr was a senior reporter for CNET covering the on-demand economy and tech culture. She grew up in Colorado, went to school in New York City and can never remember how to pronounce gif.
Alfred Ng
Dara Kerr
4 min read
Uber app on phone, with car in background.

Uber violated consumer protection laws when it delayed notification about a data breach, Pennsylvania's attorney general says.


Uber's got a new legal fight on its hands.

Pennsylvania Attorney General Josh Shapiro on Monday filed a lawsuit against Uber after the San Francisco-based ride-sharing company took more than 12 months to inform users that it suffered a major hack

"Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach," Shapiro said in a press release. "Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year -- and actually paid the hackers to delete the data and stay quiet." 

The attackers accessed the information of 25 million users in the US, 4.1 million of whom were drivers. The stolen data included names, email addresses, phone numbers and driver's license numbers. Approximately 600,000 driver's license numbers were compromised, but no credit card or Social Security numbers were stolen. About 13,500 of the affected Uber drivers lived in Pennsylvania, according to the lawsuit.

Under Pennsylvania law, Shapiro can sue for $1,000 for each violation. That means the attorney general's office could seek $13.5 million from Uber. 

Although the hack took place in October 2016, the company didn't notify the public until November 2017. By failing to notify users in a timely manner, the lawsuit said, Uber violated Pennsylvania's Breach of Personal Information Notification Act, which requires companies to notify people affected by data breaches in a "reasonable" time frame. 

"When it learned about the 2016 Data Breach, Uber did not notify law enforcement authorities or consumers about the breach," the lawsuit says. "Instead, Uber paid the hackers at least $100,000 to delete the acquired consumer data and keep quiet about the breach."

Shapiro said in a statement that Uber's payoff was "outrageous corporate misconduct."

Uber in the courts

Uber is no stranger to legal tussles. In February, it settled with Google's Waymo for about $245 million in a high-profile confrontation over self-driving cars and Silicon Valley trade secrets.  Later in the month, it got hit with a lawsuit alleging that it discriminates against people in wheelchairs. It's also had to defend itself against charges of sexual assault by its drivers.

The company, which appointed a new CEO, Dara Khosrowshahi, three months before the disclosure of the 2016 breach, said in a statement Monday that it's a changed company.

"While we make no excuses for the previous failure to disclose the data breach, Uber's new leadership has taken a series of steps to be accountable and respond responsibly," an Uber spokesman said. "While we dispute the accuracy of some of the characterizations in the Pennsylvania attorney general's lawsuit, we will continue to cooperate with them and ask only that we be treated fairly."

Uber's chief legal officer, Tony West, joined the company three months ago and said he immediately reached out to various state and federal regulators about the data breach, promising Uber's cooperation.

"I personally reached out to Attorney General Shapiro and his team in the same spirit a few weeks ago," West said in an emailed statement. "While I was surprised by Pennsylvania's complaint this morning, I look forward to continuing the dialogue we've started as Uber seeks to resolve this matter.  

"While we do not in any way minimize what occurred, it's crucial to note that the information compromised did not include any sensitive consumer information such as credit card numbers or Social Security numbers, which present a higher risk of harm than driver's license numbers," he continued.

Uber's chief security officer, John "Four" Flynn, also testified before the Senate Commerce committee in early February to provide the government a technical overview of the data breach. During his testimony, he explained the steps Uber has taken to strengthen its security systems and procedures going forward.

Data breaches, meanwhile, have become a fact of life in a world devoted to apps, e-commerce and an internet overstuffed with personal information. They strike seemingly everywhere with grim regularity, from government agencies to big businesses to online hookup services.

The problem has prompted calls to action by government officials around the world. Last month, for instance, US Attorney General Jeff Sessions announced the formation of a cybersecurity task force to look into a wide range of threats, including "theft of corporate, governmental, and private information on a mass scale."

The Pennsylvania attorney general's office is taking the multiple reported breaches into account, pointing out that personal information stolen from the Equifax breach could be combined with data from the Uber breach to help criminals committing identity theft. 

"The more personal information these criminals gain access to, the more vulnerable the person whose information was stolen becomes," Shapiro said.

The stolen data had been stored on Uber's Amazon Web Services cloud account. Uber reached out to the hackers and said it confirmed that the stolen data had been deleted permanently. Following the announcement, the company offered credit monitoring and identity theft protection to people who were affected.

The Pennsylvania AG's office is asking any state residents who feel they were affected by Uber's breach to file a complaint with the Bureau of Consumer Protection at scams@attorneygeneral.gov. 

Originally published March 5 at 7:30 a.m. PT.
Update at 8:12 a.m. PT:  Adds background and more details from the court filing.
Update at 9:10 a.m. PT:
: Adds statements from the Pennsylvania attorney general. 
Update at 10:04 a.m. PT:  Adds statement from Uber and other background.
Update at 12:39 p.m. PT:  Adds statement from Uber Chief Legal Officer Tony West and other background.

Security:  Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

Blockchain Decoded:  CNET looks at the tech powering bitcoin -- and soon, too, a myriad of services that will change your life.