Pennsylvania attorney general sues Uber over 2016 data breach

Uber's bad days are far from over. Pennsylvania Attorney General Josh Shapiro sued Uber on Monday for not disclosing a massive data breach for more than a year after it occurred in 2016.

Shapiro's lawsuit alleged that Uber violated Pennsylvania state law by not notifying customers within a "reasonable amount of time," The Hill reported. Shapiro can seek up to $1,000 in fines for every violation.

“Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach,” Shapiro said in a statement, according to The Hill. “Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year – and actually paid the hackers to delete the data and stay quiet. That’s just outrageous corporate misconduct, and I’m suing to hold them accountable and recover for Pennsylvanians.”

An Uber spokesperson responded: "While we make no excuses for the previous failure to disclose the data breach, Uber's new leadership has taken a series of steps to be accountable and respond responsibly. We investigated the incident, disclosed the circumstances to state and federal regulators, and reached out to state Attorneys General, including Attorney General Shapiro, to express Uber's desire to cooperate fully with any investigations. While we dispute the accuracy of some of the characterizations in the Pennsylvania Attorney General's lawsuit, we will continue to cooperate with them and ask only that we be treated fairly."

Uber had disclosed the hack of 57 million Uber customers and drivers back in November. The data breach leaked the names, email addresses, and phone numbers of about 50 million Uber riders and the personal information of 7 million drivers. It did not include social security numbers or details about the rides, according to Uber's blog post.

At the time of Uber discovering the leak, the company paid the hacker $100,000 to delete the data and to stay quiet. Uber kept the secret under former CEO and cofounder Travis Kalanick. In November, new CEO Dara Khosrowshahi disclosed the occurrence and also fired Uber's Chief Security Officer Joe Sullivan.

“None of this should have happened, and I will not make excuses for it,” Khosrowshahi told Bloomberg in November. “We are changing the way we do business.”

But Shapiro is not letting Uber get away with negligence. According to Shapiro's office, as reported by The Hill, 43 state attorney generals are investigating Uber's 2016 data breach.

Later on Monday, Uber's Chief Legal Officer Tony West released a statement claiming that he had spoken directly with Shapiro last month and was "surprised" by the lawsuit.

"Since starting on this job three months ago, I’ve spoken with various state and federal regulators in connection with the data breach pledging Uber’s cooperation, and I personally reached out to Attorney General Shapiro and his team in the same spirit a few weeks ago. While I was surprised by Pennsylvania’s complaint this morning, I look forward to continuing the dialogue we’ve started as Uber seeks to resolve this matter. We make no excuses for the previous failure to disclose the data breach. While we do not in any way minimize what occurred, it's crucial to note that the information compromised did not include any sensitive consumer information such as credit card numbers or social security numbers, which present a higher risk of harm than driver’s license numbers. I’ve been up front about the fact that Uber expects to be held accountable; our only ask is that Uber be treated fairly and that any penalty reasonably fit the facts," West wrote in an emailed statement.

Updated 3/15/2018, 1:13 p.m. with statement from Uber.

Updated 3/15/2018, 4:06 p.m. with statement from Uber's chief legal officer.