AG Issues Demand on Uber for Information on Data Hack Impacting 57 Million Worldwide

HARRISBURG — Attorney General Josh Shapiro and the Bureau of Consumer Protection have formally demanded that Uber provide information on the data hack that affected 57 million people worldwide, including at least 600,000 Uber drivers in the U.S. and 13,000 drivers in Pennsylvania.

“These kinds of breaches will keep happening – and Americans and Pennsylvanians will keep seeing their personal and financial information compromised – until we force these companies to change the way they do business,” Attorney General Shapiro said. “We need to require change in corporate culture and put consumers’ security ahead of profits.”

This is the latest data breach in which the Office of Attorney General Shapiro is involved to protect Pennsylvanians. Attorney General Shapiro is among several attorneys general leading a 49-state investigation of the massive Equifax data breach impacting at least 145 million Americans and 5.5 million Pennsylvanians. That investigation is ongoing.

Immediately after the Uber hack became publicly known last week, Attorney General Shapiro directed his Bureau of Consumer Protection to send a letter to Uber’s counsel, demanding information about the Uber hack. The Bureau of Consumer Protection’s letter to Uber demanded among other things:

The exact date Uber discovered the hack
The number of affected drivers and riders in Pennsylvania and nationwide
The specific kinds of information and data which were compromised
Uber’s response to the Bureau of Consumer Protection is due December 15, 2017.

In Pennsylvania, at least 13,000 Uber drivers’ information – including their driver’s license numbers – was compromised by the data hack. Pennsylvania drivers are being notified by Uber through regular mail and email.

It is not known yet how many Uber riders in Pennsylvania were impacted by the hack. According to published reports, and information released by Uber itself, the names, email addresses and phone numbers of consumers may have been accessed, but no credit card or other payment information is believed to have been part of the hack.

Uber’s response will enable the Office of Attorney General to determine if Uber violated Pennsylvania’s Breach of Personal Information Notification Act in its delayed notification to drivers of the hack, as well as other potential violations of the state’s Consumer Protection Law.

Uber has stated it plans to monitor the impacted accounts and have them flagged for fraudulent activity. The company plans to offer free credit monitoring to drivers who were affected.

Impacted riders and drivers are encouraged to call the Attorney General’s Bureau of Consumer Protection at 1-800-441-2555 or email scams@attorneygeneral.gov. They can also file a complaint here.

“We want Pennsylvanians who believe they’ve been harmed by this hack to file a complaint with our office, or call or email us,” Attorney General Shapiro said. “We want to hear from them. Our goal is to force real change in corporate behavior, so these companies entrusted with our most secure information take the appropriate steps and implement the best technology to safeguard it.”