Wednesday, 18 July, 2018

Pennsylvania Attorney General sues Uber over data breach

Pennsylvania is suing Uber over 2016 data breach Pennsylvania Attorney General sues Uber over data breach
Theresa Hayes | 06 March, 2018, 16:34

The ride-hailing company Uber broke Pennsylvania law when it failed to notify potential victims, including thousands of drivers, for a year after it discovered hackers had stolen their personal information, said the state attorney general, who sued the company Monday. Under Pennsylvania's data breach notification law, Uber was required to notify impacted persons of the breach within a reasonable time frame, but the company failed its duty to do so. In a statement, Shapiro's office claims that at least 13,500 Pennsylvania Uber users had their first and last names, and driver's license numbers stolen in the hack.

According to Bloomberg, Uber paid the hackers $100,000 to delete the data and hide the breach. Shapiro said in a press release it was an "outrageous corporate misconduct" that instead of informing its consumers, the company paid up hackers to buy their silence.

Uber could be on the hook for $1,000 for each of the at least 13,500 drivers affected, according to Shapiro's office. Personal financial data such as the kind stolen from consumers during the Equifax data breach - a massive breach impacting almost 148 million Americans and at least 5.5 million Pennsylvanians - could be combined by cyber-criminals with data stolen during the Uber breach to put together fraudulent profiles. We make no excuses for the previous failure to disclose the data breach. The stolen data included names, email addresses, phone numbers and driver's license numbers.

The Pennsylvania attorney general has filed a lawsuit against Uber over concealing a data breach from October 2016.

As CNET reports, data breaches have become a fact of life for many consumers.

Uber acknowledged in November that for more than a year it covered up a hacking attack.

Joe Grace, a spokesman for Shapiro's office said the attorney general stands by the lawsuit. "That's why my Bureau of Consumer Protection is not only taking action in the Uber breach today - we are also leading a national investigation into the Equifax breach".

In the aftermath, Khosrowshahi said that two employees with its cybersecurity consulting firm were let go, they individually notified those with stolen driver's license numbers and provided those affected with free credit and identity theft monitoring, as well as finally notifying the regulatory authorities.

In late November, Uber Technologies Inc. admitted that 57 million driver and passenger accounts worldwide had been hacked.

In its own statement, Uber continues to play the "we are now a new company" card under the new leadership. "We are changing the way we do business".

Uber did not yet respond to questions about what specifically the company is disputing in the lawsuit.