Ride-hailing app subject to another lawsuit after 2016 hack exposed user data.
Uber is being sued by the state of Pennsylvania after covering up a huge data breach for a year.
A lawsuit filed on Monday by Attorney General Josh Shapiro stated that the company broke the law when it failed to notify the victims within a reasonable timeframe.
Data from an estimated 50 million Uber riders and seven million Uber drivers was compromised in the breach back in November 2016.
Personal information including names, email addresses, and phone numbers were stolen, as well as the license numbers of Uber drivers.
According to Bloomberg, Uber paid the hackers $100,000 to delete the stolen data and cover up the breach.
Shapiro said in a statement: “Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year – and actually paid the hackers to delete the data and stay quiet.
“That’s just outrageous corporate misconduct, and I’m suing to hold them accountable and recover for Pennsylvanians.”
The San Francisco-based company could be sued for $13.5 million – $1,000 for each of the estimated 13,500 drivers affected – under the northeastern state’s data breach notice law.
Uber’s chief legal officer Tony West told the Tribune-Review: “While I was surprised by Pennsylvania's complaint… I look forward to continuing the dialogue we’ve started as Uber seeks to resolve this matter.
“We make no excuses for the previous failure to disclose the data breach.
“I’ve been up front about the fact that Uber expects to be held accountable,” he added. “Our only ask is that Uber be treated fairly and that any penalty reasonably fit the facts.”
Pennsylvania now joins the State of Washington and Chicago in bringing legal action against Uber.
Chicago called for Uber to be sued for $10,000 a day for each day that it violated the state’s public disclosure laws.
Washington is suing for $2,000 for each resident whose data was exposed.