Uber hit with litigation wave over 2016 data breach it failed to disclose
27 November 2017. By Mike Swift.
Uber Technologies is facing multiple class-action lawsuits around the United States on behalf of both drivers and users of the ride-hailing giant, who allege Uber not only negligently failed to protect their personal information, but that Uber committed fraud by keeping the 2016 breach secret.
“As a result of Uber’s negligence and wanton and reckless disregard of data breach notification requirements, millions of Americans are now – and have been for over one year – at risk of identity theft,” according to a suit filed in San Francisco federal court by two Uber users in South Carolina, Danyelle Townsend and Ken Tew.
"I think the thing that stands out here is how egregious the facts are," said Cari Laufenberg, a lawyer representing Townsend and Tew in that suit. "To have a company acting in such an underhanded and self-seriving manner is pretty egregious, at the peril of millions of people’s identies."
In another suit filed in San Francisco federal court, Susan Webber, an Uber driver in San Diego, California, said the exposure of driver's license numbers for about 600,000 drivers, which has been discovered only recently, puts them in particular peril for identity theft or other fraud.
“Defendants failed, and continues (sic) to fail, to provide adequate protection of its Drivers’ and Riders’ personal and confidential information and has egregiously failed to provide sufficient and timely notice or warning of potential and actual cybersecurity breaches to its users,” Webber’s suit alleges.
Other suits, filed in federal courts in Chicago, Los Angeles and other cities, are accusing Uber of negligence, breach of implied contract, violation of the Federal Trade Commission Act’s prohibition against unfair or deceptive conduct, violation of state unfair competition laws, and violation of state data security laws in California, Florida, Illinois and other states.
Uber CEO Dara Khosrowshahi acknowledged last week that the breach that exposed the personal data of about 57 million users around the world happened in October 2016, along with the driver's license numbers of the company’s drivers in the US. But the company failed to notify users and regulators — an apparent violation of state laws in the US that typically require notification of the state’s attorney general within a reasonable period of time after a company’s computer networks are breached.
In addition to the US lawsuits, Uber is starting to hear from members of Congress as well, with Senator Mark Warner, a Virginia Democrat, firing off a letter Monday asking about reports that Uber paid $100,000 to the hackers to delete the stolen data, rather than reporting the breach to regulators. Republican senators are also peppering Uber with questions about the breach.
Uber’s actions are facing multiple investigations by regulators in the US, Europe, Asia and Australia. With EU privacy regulators meeting this week to discuss whether to mount a Europe-wide response and whether to look for joint action with the US FTC, Uber could end up facing coordinated EU-US regulatory action.
One of the Uber suits that was filed late last week in Chicago federal court on behalf of Uber users in Illinois, California, Florida, New York and other states seeks to create a national class of victims, as well as separate classes of users in those states, based on Uber’s alleged violations of state laws that require notification of data breaches to regulators and consumers.
By keeping the breach secret, said plaintiff Brandon Franklin of Chicago, Uber induced its users to use the service over the past year and put themselves at additional risk of identity fraud or other harm.
“Uber’s fraudulent and deceptive acts and omissions were intended to induce Plaintiff’s and the other Class Members’ reliance on Uber’s deception that their financial information was secure and protected when using debit and credit cards [to] utilize Uber,” said Franklin and plaintiffs Casey Creaney of Encinitas, California; and Garrett Stanwick of San Diego.*
A number of suits, including one filed in Los Angeles federal court by Benjamin Heller and four other plaintiffs, are being filed as class actions based on the claim that damages in the case will top $5 million.
“Plaintiffs seek the following remedies, among others: statutory damages under state and/or federal laws, reimbursement of out-of-pocket losses, other compensatory damages, further and more robust credit monitoring services with accompanying identity theft insurance, and injunctive relief including an order requiring Defendants to implement improved data security measures,” the Heller suit alleges.
Uber is based in San Francisco, meaning the Northern District of California would be a leading candidate for the venue where the cases around the US would ultimately be consolidated. It is highly likely that other suits against Uber will be filed in the coming days. The recent Equifax data breach has spawned more than 240 class actions in the US and Canada.
*Updated on June 5, 2018 at 15:35 GMT: Removes the name of a purported plaintiff listed in the court filing who is not, in fact, involved in the case.