Los Angeles City Attorney Mike Feuer today announced that his office has filed a civil enforcement action against Uber Technologies, Inc., over its massive October, 2016, data breach that led to 600,000 U.S. drivers’ names and license numbers being stolen. The lawsuit alleges that under California law Uber was required promptly to notify its affected California drivers of the breach--but instead paid the hackers to destroy the data, then pressured the hackers to enter into nondisclosure agreements to keep quiet about it. Uber finally made the breach known in November, 2017, 13 months later.
"We allege Uber violated California law, and public trust, when it hid this massive data breach," said City Attorney Mike Feuer. "If any company should know better, it’s Uber, which reached a previous settlement after allegedly failing to provide timely notice to its users about an earlier security breach. Uber and other companies holding vast amounts of private data need to safeguard it—and immediately come clean if the information is compromised."
The complaint alleges that in November, 2016, Uber discovered a hack of the names and driver’s license numbers of approximately 600,000 U.S. Uber drivers, among other information. Instead of promptly notifying California drivers, Uber allegedly hid the breach for an entire year and paid the hackers $100,000 in exchange for their promise destroy the data. Uber allegedly then identified the hackers and pressured them to enter into nondisclosure agreements, and further attempted to conceal the hack by making the payout appear to have been part of a purposeful effort by the company to identify possible flaws in Uber’s systems.