The office of the Pennsylvania Attorney General Josh Shapiro filed a lawsuit against Uber on Monday, seeking up to $13.5 million from the company over its failure to disclose a major 2016 data breach in a timely manner. The incident that occurred in October of 2016 was technically a bug disclosure, albeit one that had some characteristics of a blackmail, with the researcher who discovered the original vulnerability downloading data of approximately 57 million of driver and rider accounts from Uber's Amazon Web Services servers. The ordeal prompted the San Francisco, California-based startup to fire its Chief Security Officer Joe Sullivan and publicly apologize for the matter.
With around 13,500 of compromised people being from Pennsylvania, Mr. Shapiro is now suing for up to $1,000 per an individual privacy violation. While a company can rarely be held responsible for suffering a hacking attack unless negligence can be proved, Uber's failure to swiftly notify its users of being compromised is grounds for a lawsuit, the AG's office believes. The data Uber lost control of hasn't been abused and was deleted shortly after the person who downloaded it and reported the exploit received a $100,000 payoff in the form of an uncharacteristically high bug bounty. Uber's program that rewards security researchers for discovering vulnerabilities usually doesn't go above $10,000 per incident. The ride-hailing service provider only disclosed the breach last November, shortly before SoftBank took a major stake in the company.
Besides not being abused, the compromised data wasn't highly sensitive in nature, Uber previously claimed, adding that social security numbers and credit card information of its drivers and riders have never been obtained by an external source. Instead, the breached data included the likes of driver's license numbers and email addresses. The vulnerability itself was discovered in Uber's GitHub repository where its engineers unintentionally left some of the company's server keys which were then used by the bug bounty recipient to access a number of the startup's cloud storage solutions hosted by Amazon. Uber already offered to pay for identity theft protection and credit monitoring services for all of its drivers and riders whose data was downloaded as a result of the breach, though the company remains adamant none of it ended up in the wrong hands following the incident.