clock menu more-arrow no yes mobile

Filed under:

Pennsylvania is suing Uber for up to $13.5 million in penalties for failing to disclose its data breach quickly enough

State Attorney General Josh Shapiro said the company violated Pennsylvania’s Breach of Personal Information Notification Act.

Uber CEO Dara Khosrowshahi Drew Angerer / Getty

Pennsylvania Attorney General Josh Shapiro is suing Uber for failing to disclose within a reasonable time that the company had suffered a data breach that affected 600,000 drivers globally.

AG Shapiro claims Uber, therefore, violated a state law that requires companies to notify consumers affected by data hacks within a reasonable time — it’s unclear what exactly that time frame is. There were 13,500 Pennsylvania drivers whose first and last names and license numbers were accessed by hackers in 2016, Shapiro said. Uber did not disclose the breach until November 2017.

The fine for failing to notify consumers affected by a hack is $1,000 per person affected, which means Uber could be penalized for up to $13.5 million — a small sum for the ride-hail player. However, it’s a clear sign that the ghosts of the company’s past leadership are still haunting its new executive team.

Fresh off settling Alphabet’s self-driving lawsuit against the company, Uber’s new Chief Legal Officer Tony West continues to grapple with a number of legal issues that he inherited. As Uber prepares to go public in the next two years, buttoning up the many lawsuits levied against the company is more important than ever.

“Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach,” Shapiro said in a statement. “Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year — and actually paid the hackers to delete the data and stay quiet. That’s just outrageous corporate misconduct, and I’m suing to hold them accountable and recover for Pennsylvanians.”

West said he was surprised by the lawsuit and had reached out to Shapiro personally “a few weeks ago.”

“We make no excuses for the previous failure to disclose the data breach,” West said in a statement. “While we do not in any way minimize what occurred, it’s crucial to note that the information compromised did not include any sensitive consumer information such as credit card numbers or social security numbers, which present a higher risk of harm than driver’s license numbers. I’ve been up front about the fact that Uber expects to be held accountable; our only ask is that Uber be treated fairly and that any penalty reasonably fit the facts.”

Uber failed to notify some 57 million users that their data — including names, email addresses, phone numbers and driver’s license numbers — was exposed when hackers accessed that information in 2016, CEO Dara Khosrowhshahi revealed in November 2017.

After learning about the breach, Khosrowshahi opened an investigation into how the company handled the incident and fired two people who handled the response process, including Joe Sullivan, Uber’s chief security officer.

Instead of notifying users when the company learned of the breach in 2016, Uber paid the hackers $100,000 to delete the data they got ahold of and keep the hack quiet.

In the suit, the state raised questions about Uber’s explanation that the payment was part of a bug bounty program citing the company’s Chief Information Security Officer John Flynn’s recent testimony to the U.S. Senate Committee on Commerce, Science and Transportation.

The suit reads:

“Uber claimed that the payment of at least $100,000 was done through a “bug bounty” program which allows the company to reward an outsider who reports a software vulnerability, However, Uber’s Chief Information Security Officer John Flynn admitted during his live testimony to the U.S. Senate Committee on Commerce, Science and Transportation on February 6, 2018 that the payment was not consistent with how the bug bounty program operated. Specifically Flynn stated, “this was a multistep malicious intrusion, a downloading go data and extortionate demand means this wasn’t consistent with the way that the [bug bounty] program normally operates.”

A company spokesperson said, while they’re not making excuses for the failure to disclose the data breach, the new leadership has taken steps to “respond responsibly.”

“We investigated the incident, disclosed the circumstances to state and federal regulators, and reached out to state Attorneys General, including Attorney General Shapiro, to express Uber’s desire to cooperate fully with any investigations,” the spokesperson said in a statement. “While we dispute the accuracy of some of the characterizations in the Pennsylvania Attorney General’s lawsuit, we will continue to cooperate with them...”

Uber did not yet respond to questions about what specifically the company is disputing in the lawsuit.

As Recode first reported, at least five states launched investigations into Uber’s handling of the data breach within days after Khosrowshahi notified the public and consumers that it had happened. At the time, Pennsylvania did not respond to requests for comment.

The city of Chicago also filed a lawsuit against Uber in November 2017 for failing to disclose the data breach. The city has asked a judge to fine Uber $10,000 a day for each day that it violated the state’s ordinance on public information disclosure.

This is developing ...

This article originally appeared on

Sign up for the newsletter Today, Explained

Understand the world with a daily explainer plus the most compelling stories of the day.