Pennsylvania's attorney general is suing Uber for delaying disclosure for more than a year of a breach that exposed the personal information, such as driver's licenses, of 57 million customers and drivers.
Uber reportedly funneled a $100,000 payment through its bug bounty program to a hacker to destroy data and keep a hack a secret.
Noting that "Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach," State Attorney General Josh Shapiro said in a release that rather than notifying those affected “within a reasonable amount of time, Uber hid the incident for over a year – and actually paid the hackers to delete the data and stay quiet.”
The ride sharing company, which was already in hot water with regulators for a 2014 breach, “was under a legal obligation to notify regulators and to the impacted users and drivers,” Corey Williams, senior director of products and marketing at Centrify, said when news of the most recent breach broke in November. “Instead they took extreme measures to hide the hack.”
The Pennsylvania lawsuit charges that Uber violated the Pennsylvania Breach of Personal Information Notification Act as well as the Pennsylvania Unfair Trade Practices and Consumer Protection Law. Under the notification act the AG's office can seek as much at $1,000 for each violation – in this case as much as $13.5 million since 13,500 Uber drivers may have been affected.
“The more personal information these criminals gain access to, the more vulnerable the person whose information was stolen becomes,” Shapiro said. “That's why my Bureau of Consumer Protection is not only taking action in the Uber breach today – we are also leading a national investigation into the Equifax breach.”