Pennsylvania Sues Uber Over Late Breach NotificationState Could Seek As Much as $13.5 Million in Civil Penalties
Pennsylvania on Monday filed a lawsuit against Uber for allegedly violating the state's mandatory breach notification law. It's the latest in a long string of legal and regulatory actions Uber is facing from a serious data breach the company waited more than a year to disclose.
The state's data breach law, which went into effect in 2006, requires companies to notify those affected within a "reasonable" amount of time, according to Attorney General Josh Shapiro.
It is the first time Pennsylvania has sued under the statute on behalf of consumers. The lawsuit also alleges Uber violated Pennsylvania's Unfair Trade Practices and Consumer Protection Law.
At least 13,500 Uber drivers in Pennsylvania were affected. The state could seek $1,000 for each violation, meaning Uber could face a maximum civil penalty of up to $13.5 million.
Uber disclosed last November that hackers accessed 57 million accounts of its riders and drivers worldwide around October 2016. The hackers accessed a back-up file stored on Amazon's S3 storage service. The credentials to access the storage bucket had been left on GitHub, the web-based code sharing and development platform (see Uber Concealed Breach of 57 Million Accounts for a Year).
"That's just outrageous corporate misconduct, and I'm suing to hold them accountable and recover for Pennsylvanians."
—Josh Shapiro, Attorney General, Pennsylvania
Despite the seriousness of the breach, the company kept it under wraps for more than a year. It was later revealed that Uber paid two men about $100,000 via its bug bounty program. The payment was initially positioned as a bug bounty, but the men had actually made extortion-like demands.
Shapiro characterized Uber's handling of the incident as "outrageous corporate conduct."
"Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year - and actually paid the hackers to delete the data and stay quiet," Shapiro says. "That's just outrageous corporate misconduct, and I'm suing to hold them accountable and recover for Pennsylvanians."
The information exposed included 25 million Uber users in the U.S., of which 4.1 million were drivers. For the driver accounts, 600,000 contained license numbers. Nearly all of the data sets including names, email addresses and phone numbers. For some users, Uber IDs and location data was leaked, along with tokens or hashed and salted passwords.
In a statement, Uber's Chief Legal Officer Tony West says the state's lawsuit came as a surprise. West, who has been with Uber for three months, says he personally reached out to Shapiro several weeks ago.
"We make no excuses for the previous failure to disclose the data breach," West says. "I've been up front about the fact that Uber expects to be held accountable; our only ask is that Uber be treated fairly and that any penalty reasonably fit the facts."
West contends that the disclosure of driver's license numbers is not as damaging as credit card or Social Security numbers, which were not leaked.
"While we do not in any way minimize what occurred, it's crucial to note that the information compromised did not include any sensitive consumer information such as credit card numbers or Social Security numbers, which present a higher risk of harm than driver's license numbers," West says.
Shapiro expressed a different opinion about the loss of driver's license numbers.
"The theft of drivers' license information may leave persons vulnerable to identity theft, as thieves who gain access to the information use it to establish phony credit card accounts and run up huge debts in consumers' names," he says.
Long Legal Road
Other than Pennsylvania, state attorneys general in Illinois, Connecticut, New York and Massachusetts have probes underway. Forty-eight states have mandatory breach notification laws, but there is no federal law. Regulators in the United Kingdom, Australia and the Philippines are also investigating Uber.
Uber is in a tough position because company executives have acknowledged their handling of the breach was wrong. Uber paid the money after receiving assurances from the two individuals that the data would be destroyed.
On Feb. 6, Uber CISO John Flynn testified before the U.S. Senate Subcommittee on Consumer Protection, Product Safety, Insurance and Data Security. Flynn told senators Uber should have notified the public sooner about the breach and that paying off the hackers was wrong (see Uber: 'No Justification' for Breach Cover-Up).
Pennsylvania's lawsuit cites some of Flynn's testimony, writing that he acknowledged that the payment to the intruders was not consistent with the terms of its bug bounty program.
"We recognize that the bug bounty program was not appropriate vehicle for dealing with intruders who seek to extort funds from the company," Flynn told the committee.