HARRISBURG – Pennsylvania Attorney General Josh Shapiro today filed a lawsuit against Uber Technologies Inc. for violating Pennsylvania’s data breach notification law.
Uber knew for more than a year that a data breach potentially impacting 57 million passengers and drivers around the world had happened – but the company failed to disclose the breach until last November, he said.
According to him, at least 13,500 Pennsylvania Uber drivers were impacted by the breach. Their first and last names and their drivers’ license numbers were stolen by hackers.
Under Pennsylvania’s data breach notification law, Uber was required to notify impacted persons of the breach within a reasonable time frame, but the company failed its duty to do so.
“Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach,” Shapiro said.
“Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year – and actually paid the hackers to delete the data and stay quiet.
“That’s just outrageous corporate misconduct, and I’m suing to hold them accountable and recover for Pennsylvanians.”
The lawsuit alleges Uber violated the Pennsylvania Breach of Personal Information Notification Act, which requires notice to persons impacted by a data breach within a “reasonable” time frame.
The suit represents the first time Shapiro is suing under that statute on consumers’ behalf. Under the law, the Attorney General’s office may seek remedies of up to $1,000 for each violation.
With at least 13,500 Uber drivers impacted by the breach, the Attorney General’s legal team can seek civil penalties as high as $13.5 million from Uber.
A second claim in the lawsuit against Uber alleges the company’s conduct violated the Pennsylvania Unfair Trade Practices and Consumer Protection Law.
Shapiro’s Bureau of Consumer Protection began investigating the Uber breach as soon as the company publicly disclosed it last fall.
As many as 43 state Attorneys General have been investigating this data breach. Shapiro directed his Bureau of Consumer Protection to file a lawsuit, and the suit was submitted this morning to the Philadelphia Court of Common Pleas.
The theft of drivers’ license information may leave persons vulnerable to identity theft, as thieves who gain access to the information use it to establish phony credit card accounts and run up huge debts in consumers’ names, Shapiro said.
Oftentimes, he said that stolen drivers’ license numbers are sold on the dark web as cyber-criminals build complete packages of information to steal a person’s identity.
Another factor is the many other data breaches taking place around the same time as the Uber breach.
Personal financial data such as the kind stolen from consumers during the Equifax data breach – a massive breach impacting nearly 148 million Americans and at least 5.5 million Pennsylvanians – could be combined by cyber-criminals with data stolen during the Uber breach to put together fraudulent profiles.
“The more personal information these criminals gain access to, the more vulnerable the person whose information was stolen becomes,” Shapiro said.
“That’s why my Bureau of Consumer Protection is not only taking action in the Uber breach today – we are also leading a national investigation into the Equifax breach.”
Pennsylvania drivers impacted by the Uber breach finally began receiving notice from the company of the breach beginning last November – more than a year after the breach occurred.
Shapiro encouraged any Pennsylvanian who believes he or she may have been impacted by the Uber breach to file a complaint with his Bureau of Consumer Protection.
“We want to hear from you,” Shapiro said. “Call my Bureau of Consumer Protection at 1-800-441-2555 or e-mail us at firstname.lastname@example.org.
“Call me. We’re standing up to this company, and we need to know if you’ve been harmed.”
Shapiro also recommended any Uber drivers in Pennsylvania who believe they were impacted by the breach should monitor their credit report to protect themselves from any further vulnerability.
Deputy Attorney General Timothy Murphy is the lead Bureau of Consumer Protection attorney on the Uber lawsuit.