Back in 2016, Uber was the target of a cyberattack and it’s still haunting it. The attack exposed the personal information of 57 million people. To make matters worse, the company took over a year to tell everyone of the attack, and opted to pay the hackers $100,000 extortion fee. The company is now facing a lawsuit from the state of Pennsylvania for failing to immediately disclose the data breach.
“Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach,” Attorney General Josh Shapiro said in a statement. “Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year — and actually paid the hackers to delete the data and stay quiet. That’s just outrageous corporate misconduct, and I’m suing to hold them accountable and recover for Pennsylvanians.”
Pennsylvania Breach of Personal Information Notification Act is being used by the state to charge Uber. According to the act, it requires companies to notify people who are impacted by any sort of data breach within a reasonable amount of time. In Uber’s case, a year definitely does not sounds like a reasonable amount of time, does it? The “reasonable” part of the act will likely be up for debate as the suit proceeds because the leak occurred in October 2016 and November 2017 was when the disclosure occurred. The law allows Shapiro to seek up to $13.5 million in penalties from Uber.
In a statement, Uber said: “While we make no excuses for the previous failure to disclose the data breach, Uber’s new leadership has taken a series of steps to be accountable and respond responsibly. We investigated the incident, disclosed the circumstances to state and federal regulators, and reached out to state Attorneys General, including Attorney General Shapiro, to express Uber’s desire to cooperate fully with any investigations. While we dispute the accuracy of some of the characterizations in the Pennsylvania Attorney General’s lawsuit, we will continue to cooperate with them and ask only that we be treated fairly.”
While Pennsylvania is suing Uber, you can bet that other states may follow the same route. As many as 43 other states are investigating Uber’s failure to disclose the hack to the public. As more news comes out about this data breach, we’ll keep you informed.