ShareThis Page

Uber surprised by lawsuit by Pennsylvania attorney general in data breach

Aaron Aupperlee
| Monday, March 5, 2018, 11:09 a.m.
Gene J. Puskar/AP

A lawsuit filed Monday against Uber by Pennsylvania's attorney general surprised the ride-hailing and technology giant.

Attorney General Josh Shapiro sued Uber for taking a year to notify thousands of drivers that hackers stole their personal information.

The lawsuit could force Uber to pay up to $13.5 million in penalties.

Shapiro said Uber violated a Pennslyvania law requiring notice to people affected by data breaches within a “reasonable time.”

“Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year – and actually paid the hackers to delete the data and stay quiet,” Shapiro said in a statement. “That's just outrageous corporate misconduct, and I'm suing to hold them accountable and recover for Pennsylvanians.”

Uber could be on the hook for $1,000 for each of the at least 13,500 drivers affected, according to Shapiro's office.

Tony West, Uber's chief legal officer, said the lawsuit caught him by surprise. West, who took over legal affairs for Uber in November, said he has reached out to Shapiro and his team pledging Uber's cooperation.

“While I was surprised by Pennsylvania's complaint this morning, I look forward to continuing the dialogue we've started as Uber seeks to resolve this matter. We make no excuses for the previous failure to disclose the data breach,” West wrote in a statement to the Tribune-Review. “I've been up front about the fact that Uber expects to be held accountable; our only ask is that Uber be treated fairly and that any penalty reasonably fit the facts.”

West wrote — and noted that he was not trying to minimize the situation — that while driver's license numbers were exposed in the hack, more sensitive information such are credit card or social security numbers were not.

Joe Grace, a spokesman for Shapiro's office said the attorney general stands by the lawsuit. The office noted that the theft of driver's license number may leave people vulnerable to identify theft. Driver's license numbers can be used to open credit cards and are often sold on the dark web to cyber criminals, the office wrote in a press release.

“The more personal information these criminals gain access to, the more vulnerable the person whose information was stolen becomes,” Shapiro said in the statement.

Washington state and Chicago has also sued Uber.

The Associated Press contributed to this report. Aaron Aupperlee is a Tribune-Review staff writer. Reach him at, 412-336-8448 or via Twitter @tinynotebook.

TribLIVE commenting policy

You are solely responsible for your comments and by using you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.

click me