Attacks/Breaches

11/30/2017
06:45 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Lawsuits Pile Up on Uber

Washington AG files multimillion-dollar consumer protection lawsuit; multiple states also confirm they are investigating the Uber breach, which means more lawsuits may follow.

It's been quite a week for Uber as the lawsuits from its recent high-profile breach keep on coming. The popular ride-hailing company has been under fire ever since it was disclosed that the company took more than a year to notify consumers of a breach, after which it allegedly paid hackers $100,000 to keep the attack quiet.

The hack reportedly affected 57 million people worldwide and exposed names and driver's license numbers of some 600,000 drivers in the United States.  

First, on Monday, the city of Chicago and Cook County filed a lawsuit asking the court to fine Uber $10,000 a day for each violation of a consumer's privacy. The suit contends Uber took much too long to report the breach.

Next, on Tuesday, Washington State Attorney General Bob Ferguson filed a consumer protection lawsuit against Uber, asking for penalties of up to $2,000 per violation. The lawsuit alleges that at least 10,888 Uber drivers in Washington were breached, so the lawsuit could result in millions of dollars of penalties.

On top of the two lawsuits from state and local governments, Uber has also been hit with two class-action lawsuits. Both cases were filed last week. The first, Alejandro Flores v. Raiser was filed in federal court in Los Angeles. The second lawsuit, Danyelle Townsend and Ken Tew v. Uber, was filed in federal court in San Francisco.

Multiple state governments also say that they are conducting investigations into the Uber breach. Dark Reading has confirmed ongoing investigations by the states of Connecticut, Massachusetts, Missouri, and New York.   

The lawsuit by the state of Washington was seen as significant, because it was the first lawsuit against Uber filed by a state government. Under a 2015 amendment to the state's data breach law, consumers must be notified within 45 days of a breach, and the Attorney's General's office also must be notified within 45 days if the breach affects 500 or more Washington residents. Tuesday's lawsuit was the first one filed under the revised statute.

"Washington law is clear: When a data breach puts people at risk, businesses must inform them," Ferguson said in a press release. "Uber's conduct has been truly stunning. There is no excuse for keeping this information from consumers."

Craig Spiezle, chairman emeritus of the Online Trust Alliance, says the Uber case may spark renewed calls for national data breach legislation. In the past, there's been a general consensus for such a measure because companies must grapple with the cost of  handling the compliance requirements of 48 separate state data breach laws.

"The European Union has a data breach notification requirement of 72 hours," says Spiezle, who worked closely with Attorney General Ferguson on the data breach law in Washington. "While three days is really not enough time, I think Washington's 45-day law is very generous. I've actually been on the record calling for a notification period of 10 days."

The last time the federal government talked seriously about national data breach legislation was in early 2015. At the time, the Obama administration called for a notification period of 30 days. Legislation sponsored that year by Sen. Tom Carper (D-Del) and Sen. Roy Blunt (R-Mo.) would have required companies to notify federal agencies and consumers of a breach that affects more than 5,000 consumers. Few other details were released, such as which agencies companies should report to first, the Department of Homeland Security or the FBI, and the issue slowly died as the 2016 election year morphed into 2017, the nation's first under the Trump administration. 

In response to this most recent Uber case, Sen. Richard Blumenthal (D-Conn.) last week called for the Federal Trade Commission to investigate the Uber breach and impose strict penalties. And Sen. Mark Warner (D-Va.) has expressed support for national data breach legislation. A spokesman for Sen. Warner would offer no new details and would only say national data breach legislation "continues to be a top priority" for the senator.

Efforts to reach Sen. John Thune (R-S.D.) were unsuccessful. Sen. Thune chairs the Senate's Commerce, Science and Transportation committee, which could potentially play an important role in any national data breach legislation. 

Related Content:

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
szurier210
50%
50%
szurier210,
User Rank: Apprentice
12/1/2017 | 10:01:32 AM
Re: Multiple states
It's not clear to me the Attorney Generals trade association has enough critical mass on this issue yet to move forward in any meaningful way. Only a handful of states have made noise. Check out their landing page on data breach notification, it is very old information. No, I think for now you will see the lawsuits pile up and you won't see much movement at the federal level. Sigh. 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/30/2017 | 8:39:47 PM
Multiple states
One thing to bear in mind while watching these lawsuits. Because they are being brought by multiple state governments, you can be sure that the respective consumer-protection departments/bureaus of each state AG's office are collaborating with each other via the National Association of Attorneys General -- right down to sharing discovery documents.

At first I was kind of surprised they didn't go the multistate class-action route, but it occurs to me that the impact is much more easily parsed out because X number of user accounts were definitively breached.
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Empathy: The Next Killer App for Cybersecurity?
Shay Colson, CISSP, Senior Manager, CyberClarity360,  11/13/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Post a Comment
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15759
PUBLISHED: 2018-11-19
Pivotal Cloud Foundry On Demand Services SDK, versions prior to 0.24 contain an insecure method of verifying credentials. A remote unauthenticated malicious user may make many requests to the service broker with different credentials, allowing them to infer valid credentials and gain access to perfo...
CVE-2018-15761
PUBLISHED: 2018-11-19
Cloud Foundry UAA release, versions prior to v64.0, and UAA, versions prior to 4.23.0, contains a validation error which allows for privilege escalation. A remote authenticated user may modify the url and content of a consent page to gain a token with arbitrary scopes that escalates their privileges...
CVE-2018-17190
PUBLISHED: 2018-11-19
In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code ...
CVE-2018-1841
PUBLISHED: 2018-11-19
IBM Cloud Private 2.1.0 could allow a local user to obtain the CA Private Key due to it being world readable in boot/master node. IBM X-Force ID: 150901.
CVE-2018-18519
PUBLISHED: 2018-11-19
BestXsoftware Best Free Keylogger 5.2.9 allows local users to gain privileges via a Trojan horse "%PROGRAMFILES%\BFK 5.2.9\syscrb.exe" file because of insecure permissions for the BUILTIN\Users group.