A complaint filed Monday by Los Angeles City Attorney Mike Feuer accuses Uber Technologies Inc. of violating California law by concealing “for an entire year” a data breach that exposed the names and license numbers of 600,000 Uber drivers in the United States.
As we’ve previously reported, hackers also stole the names, email addresses and cellphone numbers for 57 million Uber riders. Rather than promptly reporting the breach, Uber paid the hackers $100,000 to destroy the stolen data, according to the complaint. The breach was disclosed last month in a blog post by Uber’s new CEO.
“Uber located the hackers, pressured them to sign nondisclosure agreements, and made the $100,000 ransom appear as if it had been part of a ‘bug bounty,’ a common practice among technology companies in which hackers are paid to attack their software to test for vulnerabilities,” the complaint alleged.
Los Angeles is the second city to sue Uber over the breach. Last week, the City of Chicago filed a consumer fraud lawsuit against Uber over the company’s alleged failure to protect customer and driver information. And, the Washington Attorney General also filed suit under its state’s amended data breach statute.
The LA lawsuit calls Uber’s conduct “even more alarming” considering the fact that the ride-hailing company reached a settlement with the New York Attorney General in 2016 related to two previous data security incidents.
In late November 2014, the New York AG started an investigation into Uber’s “collection, maintenance and disclosure of rider personal information ….” Several months later, a separate investigation was opened relating to a data breach in which driver names and license numbers were “accessed by an unauthorized third party.”
While previous suits against Uber have been styled as class actions seeking damages on behalf of potentially injured breach victims, what sets the LA County suit apart is that the City Attorney is acting in his capacity as public representative, and is seeking statutory damages that would inure to the benefit of the state. Citing Uber’s California headquarters as a jurisdictional basis, the LA City Attorney is seeking damages in the amount of $2500 per violation—i.e., per breach victim in California—plus additional enhanced statutory damages in the amount of $2500 per violation for each breach victim in California who was a senior citizen or disabled person.
While the complaint doesn’t specifically identify the number of California individuals affected, considering the sheer size of California and the popularity of Uber in the state, the penalties sought could easily amount to millions of dollars.