The city of Chicago and the Cook County state's attorney are suing Uber after the company revealed that it waited more than a year to disclose a massive data breach and, according to multiple reports, paid the hackers responsible $100,000 to stay quiet.
The legal action by Illinois officials is the latest move in a mounting backlash against the company, which said last week that the personal information of 57 million customers and drivers had been stolen in October 2016. Uber now faces at least four lawsuits, including three seeking class-action status, prompted by the data breach. The attorneys general of five states have launched investigations, and the Federal Trade Commission said it is closely evaluating reports of the hack.
The Chicago lawsuit alleges that Uber failed to safeguard the personal data of Illinois residents and further violated the law by withholding for an extended period of time the announcement of the data breach and concealing the hack through its ransom payment to the intruders. The lawsuit claims that Uber willfully exposed many Illinois residents to the risks of financial fraud, identity theft and tax scams.
According to Uber chief executive Dara Khosrowshahi, the company identified the hackers and “obtained assurances that the downloaded data had been destroyed.” But in the complaint, Illinois officials took aim at what they described as a deeply troubling arrangement between Uber and the people who stole personal data from the company. “Any agreement that Uber reached with the criminal hackers couldn't possibly be trusted to protect user data. Nor did Uber require any proof that the stolen data was, in fact, deleted,” stated the suit. The officials added that in the digital age it is “impossible” for Uber to know whether the hackers still have copies of customer data.
A spokesman for Uber did not immediately respond to a request for comment.
The city seeks a declaration that Uber broke the law and a series of penalties that add up to hundreds of millions of dollars. The lawsuit asks the court to fine Uber $10,000 a day for every day the company failed to notify Chicago and Illinois residents of the data breach, which would amount to at least $3,650,000. Uber also faces penalties of up to $50,000 per individual violation, if the court finds that the company intended to defraud Illinois residents. Officials, however, do not yet know how many state residents were affected.
The lawsuit was filed on the same day that a group of four Republican senators, including Orrin G. Hatch (Utah), chairman of the Finance Committee, and John Thune (S.D.), chairman of the Commerce Committee, sent a letter to Uber asking for more information about the hack. The lawmakers want to learn how Uber officials responded to the breach and the purpose of the reported payment to hackers. Sen. Mark R. Warner (D-Va.) also sent a letter to Uber describing “grave concerns” over the data breach and asking for more details of what took place.