Pennsylvania AG Shapiro sues Uber for massive data breach, penalties up to $13.5m
Staff Writer |
Pennsylvania Attorney General Josh Shapiro filed a lawsuit against Uber Technologies, Inc. for violating Pennsylvania’s data breach notification law.
Article continues below
>
Uber knew for more than a year that a data breach potentially impacting 57 million passengers and drivers around the world had happened – but the company failed to disclose the breach until last November.
At least 13,500 Pennsylvania Uber drivers were impacted by the breach. Their first and last names and their drivers’ license numbers were stolen by hackers.
Under Pennsylvania’s data breach notification law, Uber was required to notify impacted persons of the breach within a reasonable time frame, but the company failed its duty to do so.
The lawsuit alleges Uber violated the Pennsylvania Breach of Personal Information Notification Act, which requires notice to persons impacted by a data breach within a “reasonable†time frame.
The suit represents the first time Attorney General Shapiro is suing under that statute on consumers’ behalf. Under the law, the Attorney General’s office may seek remedies of up to $1,000 for each violation.
With at least 13,500 Uber drivers impacted by the breach, the Attorney General’s legal team can seek civil penalties as high as $13.5 million from Uber.
A second claim in the lawsuit against Uber alleges the company’s conduct violated the Pennsylvania Unfair Trade Practices and Consumer Protection Law.
Attorney General Shapiro’s Bureau of Consumer Protection began investigating the Uber breach as soon as the company publicly disclosed it last fall. As many as 43 state Attorneys General have been investigating this data breach.
Attorney General Shapiro directed his Bureau of Consumer Protection to file a lawsuit, and the suit was submitted this morning to the Philadelphia Court of Common Pleas.
The theft of drivers’ license information may leave persons vulnerable to identity theft, as thieves who gain access to the information use it to establish phony credit card accounts and run up huge debts in consumers’ names.
Oft-times, stolen drivers’ license numbers are sold on the dark web as cyber-criminals build complete packages of information to steal a person’s identity.
Another factor is the many other data breaches taking place around the same time as the Uber breach.
Personal financial data such as the kind stolen from consumers during the Equifax data breach – a massive breach impacting nearly 148 million Americans and at least 5.5 million Pennsylvanians – could be combined by cyber-criminals with data stolen during the Uber breach to put together fraudulent profiles. ■