Uber has violated Pennsylvania’s data breach notification law, according to state Attorney General Josh Shapiro, calling the company’s actions “outrageous corporate misconduct.”
On Monday, the Bureau of Consumer Protection filed a civil suit against the San Francisco-based ride-hailing company.
At least 13,500 Pennsylvania Uber drivers were impacted by a 2016 data breach, Mr. Shapiro’s office announced in a press release, and the company knew about the hack for more than a year before notifying impacted users last November. Drivers’ first and last names, as well as their driver’s license numbers, were stolen.
That flies against the Pennsylvania Breach of Personal Information Notification Act, enacted in 2006 to promote transparency in business organizations that maintain, store or manage computerized personal data.
When any resident’s unencrypted and unredacted personal information is believed to have been accessed and acquired by an unauthorized person, the state’s notification requirements are triggered.
The company in question must give notice to those impacted “without unreasonable delay,” according to the law, which does not define the terms of what is “unreasonable.”
“Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach,” Mr. Shapiro said in a release Monday.
“Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year — and actually paid the hackers to delete the data and stay quiet.”
Mr. Shapiro’s legal team can seek civil penalties as high as $13.5 million from Uber.
The suit comes as at least 43 state attorneys general have been investigating the data breach. About 57 million passengers and drivers were impacted by the hack in total.
A second claim in the lawsuit against Uber alleges the company’s conduct violated the Pennsylvania Unfair Trade Practices and Consumer Protection Law.
“While I was surprised by Pennsylvania’s complaint this morning, I look forward to continuing the dialogue we’ve started as Uber seeks to resolve this matter,” said Tony West, chief legal counsel for Uber, in a statement. “We make no excuses for the previous failure to disclose the data breach.”
Mr. West added that it’s crucial to note that the breach did not include any sensitive consumer information such as credit card numbers or social security numbers, which present a higher risk of harm than driver’s license numbers, he said.
The attorney general’s office noted that theft of driver’s license information — in combination with other instances of stolen data like the Equifax breach — can leave people vulnerable to identify theft. Stolen driver’s license numbers are sold on the dark web to build complete profiles of a person, according to the release.
“The more personal information these criminals gain access to, the more vulnerable the person whose information was stolen becomes,” Mr. Shapiro said.
The attorney general’s office encourages Pennsylvanians who believe they may have been impacted by the Uber breach to file a complaint with the Bureau of Consumer Protection.
Call the bureau at 1-800-441-2555 or email scams@attorneygeneral.gov.
Courtney Linder: clinder@post-gazette.com or 412-263-1707. Twitter: @LinderPG.
March 5, 2018, 6:40 p.m.: This story has been updated to include a statement from Uber.
Join the Tech.pgh Community!
Sign up for Courtney Linder's free newsletter.
First Published: March 5, 2018, 3:08 p.m.
Updated: March 5, 2018, 3:08 p.m.