Regulators sued Uber for failing to disclose data breaches

After a data breach in which hackers stole data from about 600,000 drivers globally, for which Uber paid a ransom to hackers but did not notify affected drivers, regulators pursued Uber’s violation of applicable law, including state laws about notifying those subject to data breaches.

  • The FTC filed a revised complaint adding additional concerns to a prior action against Uber. Uber responded by agreeing to expand its prior settlement with the FTC over charges that it deceived consumers about its privacy and data security practices. The FTC specifically criticized Uber for failing to disclose the breach to the FTC until November 2017, fully a year after the breach occurred, even though the FTC was already investigating other Uber data security practices.
  • Pennsylvania sued, threatening a penalty of up to $13.5 million ($1000 for each of the 13,500 Pennsylvania drivers affected).
  • The city of Chicago also sued (complaint), seeking $10,000 per day for each day that Uber violated the state’s disclosure ordinance, as well as $50,000 for violating the Illinois Consumer Fraud Act.