Pennsylvania Attorney General Josh Shapiro is suing Uber for failing to promptly disclose a data breach that exposed the personal information of thousands of drivers in the state.
The incident dates back to November 2017, when it was reported that the company went to great lengths to cover up a massive breach in 2016 by paying hackers $100,000 to dispose of the data.
The compromise impacted roughly 50 million Uber users worldwide and another 7 million drivers. According to Shapiro’s office, at least 13,500 of those were drivers based in Pennsylvania.
“Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach,” said Shapiro in a press release.
“Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year and actually paid the hackers to delete the data and stayed quiet,” Shapiro added.
“That’s just outrageous corporate misconduct, and I’m suing to hold them accountable and recover for Pennsylvanians,” said Shapiro.
Under the Pennsylvania Breach of Personal Information Notification Act, the Attorney General’s office may seek remedies of up to $1,000 for each violation – in this case, as much as $13.5 million in civil penalties.
The suit also claims the San-Francisco-based company violated the Pennsylvania Unfair Trade Practices and Consumer Protection Law.
Shapiro is one of 43 state Attorneys General investigating the breach since it was disclosed last fall, his office said.
In response to the lawsuit, an Uber spokesperson told CNET that the company’s new leadership “has taken a series of steps to be accountable and respond responsibly” to the breach.
“While we dispute the accuracy of some of the characterizations in the Pennsylvania Attorney General’s lawsuit, we will continue to cooperate with them and ask only that we be treated fairly,” the company said.