The ride-hailing company Uber broke Pennsylvania law when it failed to notify potential victims, including thousands of drivers, for a year after it discovered hackers had stolen their personal information, said the state attorney general, who sued the company Monday.
The lawsuit, filed in Philadelphia, said hackers stole the names and driver's license numbers of at least 13,500 Pennsylvania Uber drivers. It accused Uber of violating a state law requiring it to notify victims of a data breach within a "reasonable" time frame.
"Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year — and actually paid the hackers to delete the data and stay quiet," state Attorney General Josh Shapiro said in a statement. "That's just outrageous corporate misconduct, and I'm suing to hold them accountable and recover for Pennsylvanians."
Shapiro's office did not have details about riders who were affected, but asked Pennsylvanians who believes they may have been harmed by the Uber hack to file a complaint with the office.
Uber revealed in November that hackers in 2016 had stolen the names, email addresses and mobile phone numbers of 57 million riders around the world. The thieves also nabbed the driver's license numbers of 600,000 Uber drivers in the U.S. The breach did not include any credit card information or Social Security information, Uber said.
When it revealed the hack, Uber said there was no evidence the stolen data had been misused. It acknowledged paying the hackers $100,000 to destroy the stolen information.
Washington state and Chicago have sued Uber, and attorneys general in other states have said they were investigating Uber's data breach.
Uber said it is cooperating with Pennsylvania investigators.
"I've been up front about the fact that Uber expects to be held accountable; our only ask is that Uber be treated fairly and that any penalty reasonably fit the facts," Uber said in statement from its chief legal officer, Tony West.
The lawsuit seeks civil penalties into the millions of dollars, including $1,000 for each violation of consumer protection laws and $3,000 for each violation involving a victim who is 60 or older.
It is the first time Pennsylvania has sued under a 12-year-old state law that makes failing to notify potential victims of a breach of personal information punishable under consumer protection laws.