The state could seek as much as $13.5 million in penalties from the ride-hailing firm for its response to the 2016 breach.
Pennsylvania Attorney General Josh Shapiro is suing Uber for taking more than a year to notify thousands of drivers in the
Keystone State that their information was stolen in 2016.
In December, it came to light that hackers in 2016 stole data pertaining to 57 million Uber riders worldwide, as well data on more
than 7 million drivers. Uber concealed the breach for more than a year.
That data breach impacted at least 13,500 Pennsylvania Uber drivers, according to Shapiro’s office. Under the Pennsylvania Breach
of Personal Information Notification Act, Uber should have notified those drivers of the breach within a “reasonable” time frame.
“Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach,” Shapiro said in a
statement. He noted that instead of notifying impacted riders and drivers of the incident, Uber reportedly paid a hacker to keep
it under wraps.
Shapiro called this “outrageous corporate misconduct.”
Under Pennsylvania’s data breach law, the attorney general can sue Uber for up to $1,000 for each violation. With at least 13,500
Pennsylvanians, impacted, it could seek up to $13.5 million from the ride-hailing firm.
Shapiro is one of 43 state attorneys general investigating the data breach, his office said.
The data breach came to light just a few months after Dara Khosrowshahi stepped up as the new CEO of the embattled business. In a
statement to CNET, an Uber spokesperson said the company’s new leadership “has taken a series of steps to be accountable and
respond responsibly” to the breach. “While we dispute the accuracy of some of the characterizations in the Pennsylvania Attorney
General’s lawsuit, we will continue to cooperate with them and ask only that we be treated fairly.”