Pennsylvania AG sues Uber over 2016 data fail

Not much brotherly love in this Philly court case


Uber has been hit with a lawsuit over its failure to disclose the 2016 theft of its customer and driver records.

Pennsylvania state Attorney General Josh Shapiro says the dial-a-ride broker violated state data breach law when it failed to promptly file a report and notify both drivers and passengers of the loss of data.

Shapiro said the suit will seek at least $13.5m in damages.

According to the suit (PDF) filed with the Philadelphia County state district court, Uber violated the state's Consumer Protection Law when, in 2016, it paid a hacker six figures to keep quiet about the incident. Uber finally came forward about the matter in 2017.

Among those whose data was exposed by the attack were 13,500 Uber drivers in Pennsylvania.

By failing to notify those drivers of the breach, Shapiro believes Uber violated the 'Breach of Personal Information Notification Act', a provision that calls for any breach of personal information to be disclosed 'without unreasonable delay'.

"Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year – and actually paid the hackers to delete the data and stay quiet," said Shapiro.

"That’s just outrageous corporate misconduct, and I’m suing to hold them accountable and recover for Pennsylvanians."

The suit asks the court to levy damages against Uber of $1,000 for each of the 13,500 exposed drivers. The suit also seeks legal costs and restitution for the victims.

Uber chief legal officer Tony West, who has promised to cooperate with all state investigations, said in a statement he was "surprised" by Shapiro's lawsuit.

"I look forward to continuing the dialogue we’ve started as Uber seeks to resolve this matter. We make no excuses for the previous failure to disclose the data breach," West told The Register.

"While we do not in any way minimize what occurred, it's crucial to note that the information compromised did not include any sensitive consumer information such as credit card numbers or social security numbers, which present a higher risk of harm than driver’s license numbers." ®

Broader topics

Narrower topics


Other stories you might like

  • Enemies Waymo, Uber now friends making self-driving-ish trucks for US highways
    When you think about it, it makes cents

    Waymo and Uber announced on Tuesday a "long-term strategic partnership" promising to work together to deploy autonomous freight trucks on US roads, years after both companies fought bitterly over self-driving technology. 

    The collaboration will see Waymo retrofitting trucks with its AI-powered driving software operating on Uber's logistics and network infrastructure. Shippers can tap into the Uber Freight service to connect with truckers willing to deliver their goods across the country. Vehicles running the Waymo Driver software will be able to complete part of the journey autonomously, although human drivers will still need to be present.

    "With trucking, we plan to first tackle highway driving," a spokesperson from Waymo told The Register. "It's a natural environment to start this deployment due to the large number of highway miles, which are often the most tiring stretches for humans to drive, and which are a large opportunity to improve efficiency in the industry."

    Continue reading
  • Elasticsearch server with no password or encryption leaks a million records
    POS and online ordering vendor StoreHub offered free Asian info takeaways

    Researchers at security product recommendation service Safety Detectives claim they’ve found almost a million customer records wide open on an Elasticsearch server run by Malaysian point-of-sale software vendor StoreHub.

    Safety Detectives’ report states it found a StoreHub sever that stored unencrypted data and was not password protected. The security company’s researchers were therefore able to waltz in and access 1.7 billion records describing the affairs of nearly a million people, in a trove totalling over a terabyte.

    StoreHub’s wares offer point of sale and online ordering, and the vendor therefore stores data about businesses that run its product and individual buyers’ activities.

    Continue reading
  • Behind Big Tech's big privacy heist: Deliberate obfuscation
    You opted out, but you didn't uncheck the box on page 24, so your data's ours...

    Opinion "We value your privacy," say the pop-ups. Better believe it. That privacy, or rather taking it away, is worth half a trillion dollars a year to big tech and the rest of the digital advertising industry. That's around a third of a percent of global GDP, give or take wars and plagues. 

    You might expect such riches to be jealously guarded. Look at what those who "value your privacy" are doing to stop laws protecting it, what happens when a good law  gets through, and what they try to do to close it down afterwards. 

    The best result for big tech is if laws are absent or useless. The latest survey of big tech lobbying in the US reveals a flotilla of nearly 500 salespeople/lawyers touring the US state legislatures, trying to either draw up tech friendly legislation to insert into privacy bills, water then down through persuasion, or just keep them off the books.

    Continue reading
  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Millions of people's info stolen from MGM Resorts dumped on Telegram for free
    Meanwhile, Twitter coughs up $150m after using account security contact details for advertising

    Miscreants have dumped on Telegram more than 142 million customer records stolen from MGM Resorts, exposing names, postal and email addresses, phone numbers, and dates of birth for any would-be identity thief.

    The vpnMentor research team stumbled upon the files, which totaled 8.7 GB of data, on the messaging platform earlier this week, and noted that they "assume at least 30 million people had some of their data leaked." MGM Resorts, a hotel and casino chain, did not respond to The Register's request for comment.

    The researchers reckon this information is linked to the theft of millions of guest records, which included the details of Twitter's Jack Dorsey and pop star Justin Bieber, from MGM Resorts in 2019 that was subsequently distributed via underground forums.

    Continue reading
  • Zuckerberg sued for alleged role in Cambridge Analytica data-slurp scandal
    I can prove CEO was 'personally involved in Facebook’s failure to protect privacy', DC AG insists

    Cambridge Analytica is back to haunt Mark Zuckerberg: Washington DC's Attorney General filed a lawsuit today directly accusing the Meta CEO of personal involvement in the abuses that led to the data-slurping scandal. 

    DC AG Karl Racine filed [PDF] the civil suit on Monday morning, saying his office's investigations found ample evidence Zuck could be held responsible for that 2018 cluster-fsck. For those who've put it out of mind, UK-based Cambridge Analytica harvested tens of millions of people's info via a third-party Facebook app, revealing a – at best – somewhat slipshod handling of netizens' privacy by the US tech giant.

    That year, Racine sued Facebook, claiming the social network was well aware of the analytics firm's antics yet failed to do anything meaningful until the data harvesting was covered by mainstream media. Facebook repeatedly stymied document production attempts, Racine claimed, and the paperwork it eventually handed over painted a trail he said led directly to Zuck. 

    Continue reading

Biting the hand that feeds IT © 1998–2022