The Chicago lawsuit alleges that Uber failed to safeguard the personal data of Illinois residents and further violated the law by withholding for an extended period of time the announcement of the data breach and concealing the hack through its ransom payment to the intruders. The lawsuit claims that Uber willfully exposed many Illinois residents to the risks of financial fraud, identity theft and tax scams.
According to Uber chief executive Dara Khosrowshahi, the company identified the hackers and “obtained assurances that the downloaded data had been destroyed.” But in the complaint, Illinois officials took aim at what they described as a deeply troubling arrangement between Uber and the people who stole personal data from the company. “Any agreement that Uber reached with the criminal hackers couldn't possibly be trusted to protect user data. Nor did Uber require any proof that the stolen data was, in fact, deleted,” stated the suit. The officials added that in the digital age it is “impossible” for Uber to know whether the hackers still have copies of customer data.
A spokesman for Uber did not immediately respond to a request for comment.
The city seeks a declaration that Uber broke the law and a series of penalties that add up to hundreds of millions of dollars. The lawsuit asks the court to fine Uber $10,000 a day for every day the company failed to notify Chicago and Illinois residents of the data breach, which would amount to at least $3,650,000. Uber also faces penalties of up to $50,000 per individual violation, if the court finds that the company intended to defraud Illinois residents. Officials, however, do not yet know how many state residents were affected.
The lawsuit was filed on the same day that a group of four Republican senators, including Orrin G. Hatch (Utah), chairman of the Finance Committee, and John Thune (S.D.), chairman of the Commerce Committee, sent a letter to Uber asking for more information about the hack. The lawmakers want to learn how Uber officials responded to the breach and the purpose of the reported payment to hackers. Sen. Mark R. Warner (D-Va.) also sent a letter to Uber describing “grave concerns” over the data breach and asking for more details of what took place.