Latest in Transportation

Image credit: Kim Hong-Ji / Reuters

Pennsylvania sues Uber over 2016 data breach

The issue is specifically over just how long it took the ridesharing company to report the hack.
Kim Hong-Ji / Reuters

Uber may be trying to clean up its image with new services like Uber Health, but its past mistakes keep coming back to haunt it. Back in 2016, Uber was the target of a cyberattack, which exposed the personal information of 57 million people. It took Uber over a year to actually report the attack; the company instead chose to pay the hackers a $100,000 extortion fee. Now, the state of Pennsylvania is suing Uber for failing it immediately disclose the breach.

"Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach," Attorney General Josh Shapiro said in a statement. "Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year — and actually paid the hackers to delete the data and stay quiet. That's just outrageous corporate misconduct, and I'm suing to hold them accountable and recover for Pennsylvanians."

The law Uber is charged with violating is the Pennsylvania Breach of Personal Information Notification Act. This requires companies to notify people who are impacted by any breach of data within a reasonable amount of time. It's difficult to argue that thirteen months, which is the amount of time between the October 2016 leak and November 2017 disclosure, is "reasonable". The law allows Shapiro to seek up to $13.5 million in penalties from Uber.

You can bet that Pennsylvania won't be the last state to file suit against Uber; as many as 43 others are investigating Uber's failure to disclose the hack. You can bet that this isn't the last we'll hear about this data breach.

Update: We've heard from Uber on the suit. They gave us the following statement: "While we make no excuses for the previous failure to disclose the data breach, Uber's new leadership has taken a series of steps to be accountable and respond responsibly. We investigated the incident, disclosed the circumstances to state and federal regulators, and reached out to state Attorneys General, including Attorney General Shapiro, to express Uber's desire to cooperate fully with any investigations. While we dispute the accuracy of some of the characterizations in the Pennsylvania Attorney General's lawsuit, we will continue to cooperate with them and ask only that we be treated fairly."

From around the web

ear iconeye icontext filevr