This morning, Pennsylvania Attorney General Josh Shapiro filed a lawsuit against Uber relating to a major data breach. The breach took place in October 2016, but Uber didn’t notify users about it until November 2017, which Shapiro alleges is illegal.
“Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach,” he said in a press release. “Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year – and actually paid the hackers to delete the data and stay quiet. That’s just outrageous corporate misconduct, and I’m suing to hold them accountable and recover for Pennsylvanians.”
The massive data breach compromised the data of a staggering 57 million Uber users, and not just customers. Of the 25 million U.S. users affected, 4.1 million were Uber drivers, and the hackers gained access to their names, email addresses, phone numbers, and driver’s license numbers.
Shapiro has the power to sue Uber for $1,000 per violation against a Pennsylvania resident, which adds up to roughly 13,500 violations. If the state wins its case, Uber could owe upwards of $1.3 million.
Uber is no stranger to legal trouble and scandal. In 2017 alone, the company faced criticism for its toxic culture, history of workplace harassment, and involvement in President Trump’s advisory council. It also dealt with lawsuits, leadership issues, resignations, a government investigation, backlash against the misuse of a passenger’s medical records after a sexual assault that occurred in an Uber ride, which led to another lawsuit, and so much more.
Based on Shapiro’s lawsuit, it looks like the company’s 2018 might not be any less tumultuous.
Of course, Uber isn’t the first company targeted by hackers, but Shapiro isn’t suing Uber because of the data breach. He’s suing the company for its response to the breach.
While other major companies should do everything they can to protect users’ data, breaches can and do happen. At that point, a company has a responsibility to inform its customers about the situation.
Ultimately, by suing Uber, Shapiro could deliver a wake-up call to companies that think keeping users in the dark is an acceptable response when hackers access their data.