Uber’s bad days are far from over. Pennsylvania Attorney General Josh Shapiro sued Uber on Monday for not disclosing a massive data breach for more than a year after it occurred in 2016.
Shapiro’s lawsuit alleged that Uber violated Pennsylvania state law by not notifying customers within a “reasonable amount of time,” The Hill reported. Shapiro can seek up to $1,000 in fines for every violation.
“Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach,” Shapiro said in a statement, according to The Hill. “Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year – and actually paid the hackers to delete the data and stay quiet. That’s just outrageous corporate misconduct, and I’m suing to hold them accountable and recover for Pennsylvanians.”
And Uber spokesperson responded: “While we make no excuses for the previous failure to disclose the data breach, Uber’s new leadership has taken a series of steps to be accountable and respond responsibly. We investigated the incident, disclosed the circumstances to state and federal regulators, and reached out to state Attorneys General, including Attorney General Shapiro, to express Uber’s desire to cooperate fully with any investigations. While we dispute the accuracy of some of the characterizations in the Pennsylvania Attorney General’s lawsuit, we will continue to cooperate with them and ask only that we be treated fairly.”
Uber had disclosed the hack of 57 million Uber customers and drivers back in November. The data breach leaked the names, email addresses, and phone numbers of about 50 million Uber riders and the personal information of 7 million drivers. It did not include social security numbers or details about the rides, according to Uber’s blog post.
At the time of Uber discovering the leak, the company paid the hacker $100,000 to delete the data and to stay quiet. Uber kept the secret under former CEO and cofounder Travis Kalanick. In November, new CEO Dara Khosrowshahi disclosed the occurrence and also fired Uber’s Chief Security Officer Joe Sullivan.
“None of this should have happened, and I will not make excuses for it,” Khosrowshahi told Bloomberg in November. “We are changing the way we do business.”
But Shapiro is not letting Uber get away with negligence. According to Shapiro’s office, as reported by The Hill, 43 state attorney generals are investigating Uber’s 2016 data breach.
Updated 3/15/2018, 1:13 p.m. with statement from Uber.