Uber has been hit with a lawsuit over its failure to disclose the 2016 theft of its customer and driver records.
Pennsylvania state Attorney General Josh Shapiro says the dial-a-ride broker violated state data breach law when it failed to promptly file a report and notify both drivers and passengers of the loss of data.
Shapiro said the suit will seek at least $13.5m in damages.
According to the suit (PDF) filed with the Philadelphia County state district court, Uber violated the state's Consumer Protection Law when, in 2016, it paid a hacker six figures to keep quiet about the incident. Uber finally came forward about the matter in 2017.
Among those whose data was exposed by the attack were 13,500 Uber drivers in Pennsylvania.
By failing to notify those drivers of the breach, Shapiro believes Uber violated the 'Breach of Personal Information Notification Act', a provision that calls for any breach of personal information to be disclosed 'without unreasonable delay'.
"Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year – and actually paid the hackers to delete the data and stay quiet," said Shapiro.
"That’s just outrageous corporate misconduct, and I’m suing to hold them accountable and recover for Pennsylvanians."
The suit asks the court to levy damages against Uber of $1,000 for each of the 13,500 exposed drivers. The suit also seeks legal costs and restitution for the victims.
Uber chief legal officer Tony West, who has promised to cooperate with all state investigations, said in a statement he was "surprised" by Shapiro's lawsuit.
"I look forward to continuing the dialogue we’ve started as Uber seeks to resolve this matter. We make no excuses for the previous failure to disclose the data breach," West told The Register.
"While we do not in any way minimize what occurred, it's crucial to note that the information compromised did not include any sensitive consumer information such as credit card numbers or social security numbers, which present a higher risk of harm than driver’s license numbers." ®