Attacks/Breaches
11/30/2017
06:45 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Lawsuits Pile Up on Uber

Washington AG files multimillion-dollar consumer protection lawsuit; multiple states also confirm they are investigating the Uber breach, which means more lawsuits may follow.

It's been quite a week for Uber as the lawsuits from its recent high-profile breach keep on coming. The popular ride-hailing company has been under fire ever since it was disclosed that the company took more than a year to notify consumers of a breach, after which it allegedly paid hackers $100,000 to keep the attack quiet.

The hack reportedly affected 57 million people worldwide and exposed names and driver's license numbers of some 600,000 drivers in the United States.  

First, on Monday, the city of Chicago and Cook County filed a lawsuit asking the court to fine Uber $10,000 a day for each violation of a consumer's privacy. The suit contends Uber took much too long to report the breach.

Next, on Tuesday, Washington State Attorney General Bob Ferguson filed a consumer protection lawsuit against Uber, asking for penalties of up to $2,000 per violation. The lawsuit alleges that at least 10,888 Uber drivers in Washington were breached, so the lawsuit could result in millions of dollars of penalties.

On top of the two lawsuits from state and local governments, Uber has also been hit with two class-action lawsuits. Both cases were filed last week. The first, Alejandro Flores v. Raiser was filed in federal court in Los Angeles. The second lawsuit, Danyelle Townsend and Ken Tew v. Uber, was filed in federal court in San Francisco.

Multiple state governments also say that they are conducting investigations into the Uber breach. Dark Reading has confirmed ongoing investigations by the states of Connecticut, Massachusetts, Missouri, and New York.   

The lawsuit by the state of Washington was seen as significant, because it was the first lawsuit against Uber filed by a state government. Under a 2015 amendment to the state's data breach law, consumers must be notified within 45 days of a breach, and the Attorney's General's office also must be notified within 45 days if the breach affects 500 or more Washington residents. Tuesday's lawsuit was the first one filed under the revised statute.

"Washington law is clear: When a data breach puts people at risk, businesses must inform them," Ferguson said in a press release. "Uber's conduct has been truly stunning. There is no excuse for keeping this information from consumers."

Craig Spiezle, chairman emeritus of the Online Trust Alliance, says the Uber case may spark renewed calls for national data breach legislation. In the past, there's been a general consensus for such a measure because companies must grapple with the cost of  handling the compliance requirements of 48 separate state data breach laws.

"The European Union has a data breach notification requirement of 72 hours," says Spiezle, who worked closely with Attorney General Ferguson on the data breach law in Washington. "While three days is really not enough time, I think Washington's 45-day law is very generous. I've actually been on the record calling for a notification period of 10 days."

The last time the federal government talked seriously about national data breach legislation was in early 2015. At the time, the Obama administration called for a notification period of 30 days. Legislation sponsored that year by Sen. Tom Carper (D-Del) and Sen. Roy Blunt (R-Mo.) would have required companies to notify federal agencies and consumers of a breach that affects more than 5,000 consumers. Few other details were released, such as which agencies companies should report to first, the Department of Homeland Security or the FBI, and the issue slowly died as the 2016 election year morphed into 2017, the nation's first under the Trump administration. 

In response to this most recent Uber case, Sen. Richard Blumenthal (D-Conn.) last week called for the Federal Trade Commission to investigate the Uber breach and impose strict penalties. And Sen. Mark Warner (D-Va.) has expressed support for national data breach legislation. A spokesman for Sen. Warner would offer no new details and would only say national data breach legislation "continues to be a top priority" for the senator.

Efforts to reach Sen. John Thune (R-S.D.) were unsuccessful. Sen. Thune chairs the Senate's Commerce, Science and Transportation committee, which could potentially play an important role in any national data breach legislation. 

Related Content:

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
szurier210
50%
50%
szurier210,
User Rank: Apprentice
12/1/2017 | 10:01:32 AM
Re: Multiple states
It's not clear to me the Attorney Generals trade association has enough critical mass on this issue yet to move forward in any meaningful way. Only a handful of states have made noise. Check out their landing page on data breach notification, it is very old information. No, I think for now you will see the lawsuits pile up and you won't see much movement at the federal level. Sigh. 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/30/2017 | 8:39:47 PM
Multiple states
One thing to bear in mind while watching these lawsuits. Because they are being brought by multiple state governments, you can be sure that the respective consumer-protection departments/bureaus of each state AG's office are collaborating with each other via the National Association of Attorneys General -- right down to sharing discovery documents.

At first I was kind of surprised they didn't go the multistate class-action route, but it occurs to me that the impact is much more easily parsed out because X number of user accounts were definitively breached.
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: That's it, next year we start outsourcing toy production.
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.