Pennsylvania sues Uber over 2016 data breach
Uber may be trying to clean up its image with new services like Uber Health, but its past mistakes keep coming back to haunt it. Back in 2016, Uber was the target of a cyberattack, which exposed the personal information of 57 million people. It took Uber over a year to actually report the attack; the company instead chose to pay the hackers a $100,000 extortion fee. Now, the state of Pennsylvania is suing Uber for failing it immediately disclose the breach.
"Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach," Attorney General Josh Shapiro said in a statement. "Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year — and actually paid the hackers to delete the data and stay quiet. That's just outrageous corporate misconduct, and I'm suing to hold them accountable and recover for Pennsylvanians."
The law Uber is charged with violating is the Pennsylvania Breach of Personal Information Notification Act. This requires companies to notify people who are impacted by any breach of data within a reasonable amount of time. It's difficult to argue that thirteen months, which is the amount of time between the October 2016 leak and November 2017 disclosure, is "reasonable". The law allows Shapiro to seek up to $13.5 million in penalties from Uber.
You can bet that Pennsylvania won't be the last state to file suit against Uber; as many as 43 others are investigating Uber's failure to disclose the hack. You can bet that this isn't the last we'll hear about this data breach.
Source: Office of the Attorney General of Pennsylvania (1), Office of the Attorney General of Pennsylvania (2)
via Engadget RSS Feed "http://ift.tt/2FhcRaC"
Comments
Post a Comment