The Pennsylvania attorney general is suing Uber for failing to disclose a massive 2016 data breach for more than a year, alleging that the company violated state law requiring that consumers be notified of such hacks within a “reasonable” amount of time.
Attorney General Josh Shapiro announced the lawsuit Monday, about four months after Uber revealed that 57 million people had been exposed in the breach a year before.
“Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach,” Shapiro said in a statement. “Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year — and actually paid the hackers to delete the data and stay quiet. That’s just outrageous corporate misconduct, and I’m suing to hold them accountable and recover for Pennsylvanians.”
{mosads}Uber has admitted to paying the hackers responsible $100,000 to destroy the stolen data and to not disclose the breach. The company’s new leadership revealed the hack in November as part of their efforts to turn over a new leaf following the ouster of the embattled former CEO and co-founder Travis Kalanick.
Shapiro’s office said Monday that 43 state attorneys general are investigating the data breach. Washington’s top prosecutor, Bob Ferguson, also announced a lawsuit against Uber for violating his state’s data breach notification law.
Pennsylvania’s law requires companies to notify consumers of data breaches within a reasonable amount of time after it’s been discovered. Shapiro can seek up to $1,000 in fines for every violation that occurred.
Updated at 3:22 p.m.