Pennsylvania v. UBER


Just Plain Mean
Staff member
May 18, 1997
UBER not only had a data breach that it did not warn its customers about, the state of Pennsylvania is allegeding that UBER actively tried to cover up the incident by paying off the hackers that stole the data. The state of Pennsylvania has filed a lawsuit for damages. The more you know....

HARRISBURG, Pa. (AP) — The ride-hailing company Uber broke Pennsylvania law when it failed to notify potential victims, including thousands of drivers, for a year after it discovered hackers had stolen their personal information, said the state attorney general, who sued the company Monday.

“Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year — and actually paid the hackers to delete the data and stay quiet,” state Attorney General Josh Shapiro said in a statement. “That’s just outrageous corporate misconduct, and I’m suing to hold them accountable and recover for Pennsylvanians.”
I bet their defense is "The Equifax and other breaches make the idea of 'personal data' moot".
If companies want to collect all of this data, there needs to be penalties when they fuck up.

Dire penalties.
Yup, I've been saying this for years. If you want to have a warehouse full of explosive materials, you have regulations as to how that can be done simply because the potential damage it can cause. Now I'm not saying a bunch of social security numbers and metrics about driving are necessarily as dangerous as explosives, but that information an cause damage if released, and more so because it won't simply be the isolated area around said warehouse that gets f-ed up. Now you basically damage peoples lives regardless of how small, and now it's up to them to put in the legwork to fix it.
If they paid off the hackers and the data was actually deleted, I would say that at least they took care of it in a far better manner than Equifax or anyone else. Now, they obviously should have publicly reported it.

But, even with them paying these hackers off, not like they can trust that the hackers actually deleted the data... hence the reasoning that yeah, it should have been reported.

Of course, if they paid off the hackers, then said publicly "hey, we had a breach. But the data was recovered, we paid the hackers to delete it..." what do you think would happen? "holy shit they paid those other hackers, lets see what we can get!" and it becomes open season on them... I can understand a delay in public notification if they are addressing the security flaws that allowed the breach to occur, and get it patched so it cannot happen again (within a reasonable timeframe).