Chicago sues Uber over data breach

WASHINGTON • The city of Chicago and the Cook County state's attorney are suing Uber after the firm revealed that it waited more than a year to disclose a massive data breach and, according to multiple reports, paid the hackers US$100,000 (S$135,000) to stay quiet.

The legal action by Illinois officials in the United States is the latest move in a mounting backlash against the company, which said last week that the personal information of 57 million customers and drivers had been stolen in October last year.

Uber now faces at least four lawsuits, including three seeking class-action status, prompted by the data breach. The attorneys-general of five states in the US have launched investigations, and the Federal Trade Commission said it is closely evaluating reports of the hack.

The Chicago lawsuit alleges that Uber failed to safeguard the personal data of Illinois residents and further violated the law by withholding for an extended period of time the announcement of the data breach and concealing the hack through its ransom payment. The lawsuit claims Uber wilfully exposed Illinois residents to risks of financial fraud, identity theft and tax scams.

According to Uber chief executive Dara Khosrowshahi, the company identified the hackers and "obtained assurances that the downloaded data had been destroyed". But in the complaint, Illinois officials took aim at what they described as a deeply troubling arrangement between Uber and the intruders.

"Any agreement that Uber reached with the criminal hackers couldn't possibly be trusted to protect user data. Nor did Uber require any proof that the stolen data was, in fact, deleted," stated the suit.

The officials added that in the digital age it is "impossible" for Uber to know if the hackers still have copies of customer data. A spokesman for Uber did not immediately respond to a request for comment.

The city seeks a declaration that Uber broke the law and a series of penalties that add up to hundreds of millions of dollars.

The lawsuit asks the court to fine Uber US$10,000 a day for every day the company failed to notify Chicago and Illinois residents of the data breach, which would amount to at least US$3.65 million. Uber also faces penalties of up to US$50,000 per individual violation, if the court finds that the company intended to defraud Illinois residents. Officials, however, do not yet know how many state residents were affected.

The lawsuit was filed on the same day that a group of four Republican senators sent a letter to Uber asking for more information about the hack.


A version of this article appeared in the print edition of The Straits Times on November 30, 2017, with the headline 'Chicago sues Uber over data breach'. Print Edition | Subscribe