Attorney General Josh Shapiro reaches settlement with Uber for data breach involving 13,500 drivers

By

Uber
As a result of the settlement, each impacted Pennsylvania Uber driver will receive a $100 payment. Approximately $1.35 million will go to these drivers. (MONTCO.today file photo)

Attorney General Josh Shapiro today announced a settlement agreement with California-based ride-sharing company Uber Technologies, Inc. to resolve the company’s one-year delay and cover up in reporting a data breach to affected drivers. Under the terms of the nationwide settlement, secured by Attorney General Shapiro and 50 other Attorneys General, the Pennsylvania Office of the Attorney General will receive $5.7 million from Uber. The company will also be required to take significant steps to change its corporate practices to better protect and secure its employees’ information and other data.

In November 2016, Uber learned that hackers had gained access to some personal information Uber maintains about its drivers, including drivers’ license information for about 600,000 drivers nationwide. Instead of reporting the breach to law enforcement and impacted individuals, Uber tracked down the hackers and obtained assurances that the hackers deleted the information – and made payments to ensure their silence. At least 13,500 Pennsylvania Uber drivers were affected by the breach.

[uam_ad id=”54865″]


Since some of the compromised information – specifically driver’s license numbers – is considered personally identifiable information (PII), Uber was required to notify impacted individuals under the Pennsylvania Breach of Personal Information Notification Act. However, Uber failed to report the breach until November 2017.

In March, Attorney General Shapiro directed his Bureau of Consumer Protection to file a lawsuit against Uber for violating Pennsylvania’s data breach notification law. The lawsuit was the first time Attorney General Shapiro sued under that statute. The Pennsylvania Attorney General’s case against Uber was settled as part of the national settlement announced today, which will require to pay $148 million to the 51 participating Attorneys General and Uber drivers.

“Uber violated Pennsylvania law by failing to put our residents on timely notice of this data breach,” Attorney General Josh Shapiro said. “Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year – and actually paid the hackers to delete the data and keep quiet. That is outrageous corporate misconduct, and today’s settlement holds them accountable and requires real changes in their corporate behavior.”

As a result of the settlement, each impacted Pennsylvania Uber driver will receive a $100 payment. Approximately $1.35 million will go to these drivers. A settlement administrator will be appointed to provide notice and payment to eligible drivers.

The remainder of the settlement for Pennsylvania – $4.35 million – will go to the Attorney General’s Public Protection Section and Bureau of Consumer Protection, to be used to conduct future investigations and outreach to protect Pennsylvanians from violations of consumer protection law.

“The more personal information these criminals gain access to, the more vulnerable the person whose information was stolen becomes,” Attorney General Shapiro said. “That’s why my Bureau of Consumer Protection took action, and it is why we are also continuing to lead an ongoing national investigation into the Equifax breach.”

All 50 state Attorneys General and the District of Columbia are participating in this multistate agreement with Uber. The settlement, in the form of a Consent Petition, has been submitted and requires court approval to become final. Attorney General Shapiro recommended any Uber drivers in Pennsylvania who believe they were impacted by the breach to monitor their credit report to protect themselves from any further vulnerability.

[uam_ad id=”54875″]

Tags:

Stay Connected, Stay Informed

Subscribe for great stories in your community!

"*" indicates required fields

Hidden
MT Yes
This field is for validation purposes and should be left unchanged.
Advertisement