Uber faces more potential legal consequences for waiting to make public a major hack until a over a year after it happened. The Pennsylvania Attorney General filed a lawsuit against Uber Monday for violating the state's data breach notification law, which says hacks should be disclosed within a "reasonable" time frame. Uber didn't merely keep quiet about the massive breach; it reportedly paid a $100,000 ransom to the perpetrators in exchange for their silence. And while experts say Uber will likely settle the case, it may be just the latest in a cascade of similar lawsuits.
The stolen Uber data included the names and driver's license information of around 600,000 drivers—including at least 13,500 from Pennsylvania—as well as data belonging to 25 million users in the US. It impacted over 57 million people in total. "Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach," Josh Shapiro, the states's attorney general, said in a statement. "Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year and actually paid the hackers to delete the data and stay quiet." Under Pennsylvania's data breach notice law, the attorney general may seek fines up to $1,000 for each violation, leading to a maximum penalty of $13.5 million for Uber.
'It wouldn't surprise me at all to see more lawsuits.'
Woodrow Hartzog, Northeastern University
Pennsylvania's joins a growing line of lawsuits against the ride-share company. Both Washington state, and cities including Los Angeles and Chicago filed suits when the breach was first made public by the company's new CEO Dara Khosrowshahi in November. Two class-action lawsuits were also filed in California days after the breach was first disclosed. Attorneys general from New York, Missouri, and Connecticut have also said they would look into the breach. Forty-eight states, (excluding South Dakota and Alabama) currently have laws on the books regulating how and when a data breach must be disclosed.