Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //


11:30 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now

Uber Faces Lawsuit in Pennsylvania Over 2016 Data Breach

Pennsylvania's attorney general has filed a lawsuit against Uber, claiming that 13,500 residents had their personal information compromised and the company did not alert its customers.

Pennsylvania Attorney General Josh Shapiro has filed a consumer-protection lawsuit against Uber, claiming that the company violated the state's consumer protection laws, following a massive data breach disclosed last year.

In the lawsuit, filed March 5, Shapiro claims that 13,500 Pennsylvania drivers who work for Uber had their first name, last name and driver's license numbers stolen during the October 2016 data breach. Uber did not notify drivers and consumers until November 2017.

Since Uber did not notify the drivers in accordance to state law, the company violated Pennsylvania's Breach of Personal Information Notification Act, which requires identity theft victims affected by a data breach to be notified within a "reasonable" timeframe.

(Source: iStock)
(Source: iStock)

Under state law, Uber faces a $1,000 fine for each violation, meaning that the company is looking at a potential $13.5 million lawsuit from the AG's office.

"Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year -- and actually paid the hackers to delete the data and stay quiet," Shapiro wrote in a statement. "That's just outrageous corporate misconduct, and I'm suing to hold them accountable and recover for Pennsylvanians."

In November, the company's new CEO Dara Khosrowshahi announced in a blog post that company was the victim of a massive data breach which compromised the personal information of about 57 million Uber users and drivers. The theft included names, email addresses, mobile phone numbers, and US drivers' license numbers. (See Uber Loses Customer Data: Customers Yawn & Keep Riding.)

Adding insult to injury is that, during the 13-month delay in notifying victims, Uber apparently worked to cover up the incident with federal regulators and then paid about $100,000 to the cyberthieves to erase the stolen data.

The fundamentals of network security are being redefined -- don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth annual Big Communications Event. There's still time to register and communications service providers get in free!

The breach actually happened while Travis Kalanick, Uber's founder, was still working as the company's CEO.

In a statement to Security Now, Tony West, Uber's chief legal officer, noted:

While I was surprised by Pennsylvania's complaint this morning, I look forward to continuing the dialogue we've started as Uber seeks to resolve this matter. We make no excuses for the previous failure to disclose the data breach. While we do not in any way minimize what occurred, it's crucial to note that the information compromised did not include any sensitive consumer information such as credit card numbers or social security numbers, which present a higher risk of harm than driver's license numbers.

In his statement, Shapiro noted that his office is continuing to investigate the incident and is urging anyone who may have had their identity stolen to contact the AG's office.

Related posts:

— Scott Ferguson, Editor, Enterprise Cloud News. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-10-21
Rasa is an open source machine learning framework to automate text-and voice-based conversations. In affected versions a vulnerability exists in the functionality that loads a trained model `tar.gz` file which allows a malicious actor to craft a `model.tar.gz` file which can overwrite or replace bot...
PUBLISHED: 2021-10-21
Sulu is an open-source PHP content management system based on the Symfony framework. In versions before 1.6.43 are subject to stored cross site scripting attacks. HTML input into Tag names is not properly sanitized. Only admin users are allowed to create tags. Users are advised to upgrade.
PUBLISHED: 2021-10-21
"HCL Connections Security Update for Reflected Cross-Site Scripting (XSS) Vulnerability"
PUBLISHED: 2021-10-21
Reflected Cross-Site Scripting (XSS) vulnerability in WordPress Ivory Search plugin (versions <= 4.6.6). Vulnerable parameter: &post.
PUBLISHED: 2021-10-21
The Catch Themes Demo Import WordPress plugin is vulnerable to arbitrary file uploads via the import functionality found in the ~/inc/CatchThemesDemoImport.php file, in versions up to and including 1.7, due to insufficient file type validation. This makes it possible for an attacker with administrat...