Uber company failed to notify victims of data breach and Pennsylvania has taken it very seriously. Its attorney general is suing the company to make them take full responsibility. Uber has offered its cooperation and all the information available. Although there has not been damages until now, Pennsylvania´s law protects potential victims.
Fail to notify
The state attorney general from Pennsylvania sued Uber company on Monday, alleging it broke the law. Uber found out that personal information from its users was stolen by hackers. However, they held the information for over a year before notifying potentially affected users, including drivers.
A state law requires that victims are notified of a data breach as soon as it is possible. In this case, hackers walked away with data from at least 13,500 Uber drivers names and license´s numbers.
Attorney General Josh Shapiro stated that Uber took more than one year to notify affected users about the violation. Before doing so, they negotiated with hackers to eliminate the information and remain quiet. Shapiro considered such behavior as scandalous corporate behavior and said he was suing to make them take responsibility and give answers to Pennsylvania´s residents.
Although Shapiro´s office couldn´t offer specific details, Pennsylvanians were encouraged to file their complaint if they felt affected by the Uber attack.
As reported by Uber, the stolen data didn´t include social security numbers or credit card data. But hackers stole: driver´s license numbers of 600,000 Uber drivers and personal information related to mobile phone numbers and email addresses of 57 million riders worldwide.
Uber recognized it paid $100,000 to hackers as a way to make them destroy the information. They also informed they never found evidence of improper use of the stolen data. At this moment, Uber informed they were fully cooperating with Pennsylvania investigators.
Tony West, Uber´s chief legal officer asked for a fair treatment for his client as it is willing to take full responsibility for its actions.
Millions of dollars in civil penalties are being requested through the lawsuit. The sum includes $1,000 per violation of each consumer protection laws. In addition, violations involving people 60 years or older is seeking $3,000 each.
The law that applies to punish companies like Uber when they fail to notify potential victims of a breach of personal data is 12 years old. It is the first time that the state of Pennsylvania sues for this reason.