Pennsylvania Attorney General Josh Shapiro filed a lawsuit Monday alleging that Uber Technologies failed to immediately disclose a data breach potentially affecting 57 million passengers and drivers worldwide.
At least 13,500 Uber drivers in Pennsylvania had their names and driver's license numbers stolen by hackers, according to Shapiro.
The popular ridesharing service kept the data breach secret for more than a year, acknowledging in November that it had paid a $100,000 ransom to have the hackers delete the data.
Uber's failure to notify potential victims within a reasonable timeframe violates the Pennsylvania Breach of Personal Information Notification Act, Shapiro alleges.
The lawsuit seeks $13.5 million in civil penalties from Uber.
"Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach," Shapiro said in a statement. "Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year – and actually paid the hackers to delete the data and stay quiet."
The lawsuit was filed in the Philadelphia Court of Common Pleas. It also alleges Uber violated the Pennsylvania Unfair Trade Practices and Consumer Protection Law.
The data breach may leave Pennsylvania residents vulnerable to identity theft, according to Shapiro. Stolen driver's license numbers are sold to cyber-criminals who use personal information to establish fake credit card accounts and run debts in the victims' names.
During the October 2016 data breach, hackers accessed the email addresses and phone numbers of about 57 million Uber users. They also accessed the driver's license numbers of about 600,000 drivers.
Uber Chief Legal Officer Tony West said in a statement that he has spoken with various state and federal regulators in connection to the data breach since assuming his role three months ago.
"We make no excuses for the previous failure to disclose the data breach," West said. "While we do not in any way minimize what occurred, it's crucial to note that the information compromised did not include any sensitive consumer information such as credit card numbers or social security numbers, which present a higher risk of harm than driver's license numbers."
West said he reached out to Shapiro several weeks ago and wishes to resolve the matter through continued dialogue. He asked that Uber be treated fairly and that any penalty "reasonably fit the facts."
Potential victims should file a complaint with the Bureau of Consumer Protection, Shapiro said. Residents can do so by calling (800)-441-2555 or emailing scams@attorneygeneral.gov.