Los Angeles City Attorney Mike Feuer today announced that his office has filed a civil enforcement action against Uber Technologies, Inc., over its massive October, 2016, data breach that led to 600,000 U.S. drivers’ names and license numbers being stolen. The lawsuit alleges that under California law Uber was required promptly to notify its affected California drivers of the breach--but instead paid the hackers to destroy the data, then pressured the hackers to enter into nondisclosure agreements to keep quiet about it. Uber finally made the breach known in November, 2017, 13 months later.
"We allege Uber violated California law, and public trust, when it hid this massive data breach," said City Attorney Mike Feuer. "If any company should know better, it’s Uber, which reached a previous settlement after allegedly failing to provide timely notice to its users about an earlier security breach. Uber and other companies holding vast amounts of private data need to safeguard it—and immediately come clean if the information is compromised."
The complaint alleges that in November, 2016, Uber discovered a hack of the names and driver’s license numbers of approximately 600,000 U.S. Uber drivers, among other information. Instead of promptly notifying California drivers, Uber allegedly hid the breach for an entire year and paid the hackers $100,000 in exchange for their promise destroy the data. Uber allegedly then identified the hackers and pressured them to enter into nondisclosure agreements, and further attempted to conceal the hack by making the payout appear to have been part of a purposeful effort by the company to identify possible flaws in Uber’s systems.
The complaint alleges that Uber’s attempt to keep this data breach from affected California drivers violates California Unfair Competition Law, which requires prompt disclosure when personal information has been stolen. The City Attorney’s lawsuit seeks civil penalties to hold Uber accountable and deter any such future unlawful business practice.
Uber’s alleged actions followed a January, 2016, settlement between Uber and the New York State Attorney General over Uber’s alleged failure to provide notice to people impacted by another security breach, also involving Uber drivers, until six months after Uber first learned about that breach.
Michael Bostrom, Managing Assistant City Attorney, and Steven Son, Deputy City Attorney, of the Affirmative Litigation Division, are handling the litigation.