Pennsylvania attorney general sues Uber over delayed data breach notification
Video: Uber breach impacted 380K Singapore users
Pennsylvania Attorney General Josh Shapiro is suing Uber for taking more than a year to notify thousands of drivers in the Keystone State that their information was stolen in 2016.
In December, it came to light that hackers in 2016 stole data pertaining to 57 million Uber riders worldwide, as well data on more than 7 million drivers. Uber concealed the breach for more than a year.
That data breach impacted at least 13,500 Pennsylvania Uber drivers, according to Shapiro's office. Under the Pennsylvania Breach of Personal Information Notification Act, Uber should have notified those drivers of the breach within a "reasonable" time frame.
"Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach," Shapiro said in a statement. He noted that instead of notifying impacted riders and drivers of the incident, Uber reportedly paid a hacker to keep it under wraps.
Shapiro called this "outrageous corporate misconduct."
Under Pennsylvania's data breach law, the attorney general can sue Uber for up to $1,000 for each violation. With at least 13,500 Pennsylvanians, impacted, it could seek up to $13.5 million from the ride-hailing firm.
Shapiro is one of 43 state attorneys general investigating the data breach, his office said.
The data breach came to light just a few months after Dara Khosrowshahi stepped up as the new CEO of the embattled business. In a statement to CNET, an Uber spokesperson said the company's new leadership "has taken a series of steps to be accountable and respond responsibly" to the breach. "While we dispute the accuracy of some of the characterizations in the Pennsylvania Attorney General's lawsuit, we will continue to cooperate with them and ask only that we be treated fairly."