Sunday, February 23, 2025, 10:55AM |  27°
MENU
Advertisement
2
MORE

Pa. Attorney General Josh Shapiro takes Uber to court over 2016 data breach

Eric Risberg/AP

Pa. Attorney General Josh Shapiro takes Uber to court over 2016 data breach

Uber has violated Pennsylvania’s data breach notification law, according to state Attorney General Josh Shapiro, calling the company’s actions “outrageous corporate misconduct.” 

On Monday, the Bureau of Consumer Protection filed a civil suit against the San Francisco-based ride-hailing company.

At least 13,500 Pennsylvania Uber drivers were impacted by a 2016 data breach, Mr. Shapiro’s office announced in a press release, and the company knew about the hack for more than a year before notifying impacted users last November. Drivers’ first and last names, as well as their driver’s license numbers, were stolen.

Advertisement

That flies against the Pennsylvania Breach of Personal Information Notification Act, enacted in 2006 to promote transparency in business organizations that maintain, store or manage computerized personal data.

A screenshot of the Uber Movement page, showing travel time to different regions in Pittsburgh and its surrounding suburbs.
Courtney Linder
Uber Movement puts ride-hailing data into the hands of city planners

When any resident’s unencrypted and unredacted personal information is believed to have been accessed and acquired by an unauthorized person, the state’s notification requirements are triggered.

The company in question must give notice to those impacted “without unreasonable delay,” according to the law, which does not define the terms of what is “unreasonable.”

“Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach,” Mr. Shapiro said in a release Monday.

Advertisement

“Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year — and actually paid the hackers to delete the data and stay quiet.”

Mr. Shapiro’s legal team can seek civil penalties as high as $13.5 million from Uber.

The suit comes as at least 43 state attorneys general have been investigating the data breach. About 57 million passengers and drivers were impacted by the hack in total.

A second claim in the lawsuit against Uber alleges the company’s conduct violated the Pennsylvania Unfair Trade Practices and Consumer Protection Law.

A lawsuit has been brought against Uber for allegedly failing to make wheelchair-accessible vehicles available to riders in Pittsburgh.
Courtney Linder
Lawsuit alleges Uber leaves people with disabilities stuck on the curb

“While I was surprised by Pennsylvania’s complaint this morning, I look forward to continuing the dialogue we’ve started as Uber seeks to resolve this matter,” said Tony West, chief legal counsel for Uber, in a statement. “We make no excuses for the previous failure to disclose the data breach.”

Mr. West added that it’s crucial to note that the breach did not include any sensitive consumer information such as credit card numbers or social security numbers, which present a higher risk of harm than driver’s license numbers, he said.

The attorney general’s office noted that theft of driver’s license information — in combination with other instances of stolen data like the Equifax breach — can leave people vulnerable to identify theft. Stolen driver’s license numbers are sold on the dark web to build complete profiles of a person, according to the release.

“The more personal information these criminals gain access to, the more vulnerable the person whose information was stolen becomes,” Mr. Shapiro said.

The attorney general’s office encourages Pennsylvanians who believe they may have been impacted by the Uber breach to file a complaint with the Bureau of Consumer Protection.

Call the bureau at 1-800-441-2555 or email scams@attorneygeneral.gov.

Courtney Linder: clinder@post-gazette.com or 412-263-1707. Twitter: @LinderPG.

March 5, 2018, 6:40 p.m.: This story has been updated to include a statement from Uber.

First Published: March 5, 2018, 3:08 p.m.
Updated: March 5, 2018, 3:08 p.m.

RELATED
Uber said nearly 600,000 accounts -- including 13,000 in Pennsylvania -- were compromised as a result of a data breach.
Courtney Linder
State AG Josh Shapiro wants answers about Uber's massive data breach
SHOW COMMENTS (0)  
Join the Conversation
Commenting policy | How to Report Abuse
If you would like your comment to be considered for a published letter to the editor, please send it to letters@post-gazette.com. Letters must be under 250 words and may be edited for length and clarity.
Partners
Advertisement
The University of Pittsburgh's Cathedral of Learning
1
business
Amid funding uncertainty, Pitt pauses doctoral admissions
Pirates outfielder DJ Stewart gets congratulations from teammates after his home run against the Baltimore Orioles in the first game of the Grapefruit League season at Ed Smith Stadium in Sarasota, Fla., on Saturday, Feb. 22, 2025.
2
sports
5 takeaways from Pirates' spring training victory over Orioles
A new report advises retirees in 2025 to aim for just 3.7% when withdrawing from savings -- down from 4%. Over a 30-year retirement, that could mean the difference between financial security or outliving your cash in your 80s or 90s, financial experts say.
3
business
How much can retirees safely withdraw from their nest eggs? Financial experts weigh in.
York County District Attorney Timothy J. Barker reacts during a news conference regarding the shooting at UPMC Memorial Hospital in York, Pa. on Saturday, Feb. 22, 2025.
4
news
Police officer killed, gunman dead in shooting at UPMC Memorial Hospital in York
Preston Coleman, 52, was beaten and strangled inside an Aliquippa VFW on Jan. 5, 2025, in what police described as a vicious, unprovoked attack.
5
news
Bartender working at Aliquippa VFW during beating that left man unconscious facing charges
 (Eric Risberg/AP)
 (Seth Wenig/AP)
Eric Risberg/AP
Advertisement
LATEST business
Advertisement
TOP
Email a Story