On November 21, 2017, Bloomberg Technology reported that in October of 2016 two hackers accessed the personal information of 57 million individuals associated with Uber, including both drivers and customers. The data stolen from Uber included email addresses, phone numbers, license plate numbers, and the contact information of several drivers. This information is commonly used for identity theft, which often results in credit card theft, obtaining fraudulent loans, and looting bank accounts. While the hack itself is alarming, what later ensued is likely more detrimental to the company.
Uber responded to this hack by paying a $100,000 ransom to the hackers to keep the breach secret and to delete the stolen data. Simultaneously, Uber was in the midst of settling a previous privacy violation with the FTC. Thus, while paying a ransom for a data security breach is not illegal and is largely a form of risk management, doing so to organize a cover-up is an evasion of security breach notification laws, which have been passed in 48 states, and, in Uber’s case, likely contributes to criminal sanctions for lying to the FTC while under investigation.
Since the disclosure of the data breach, five attorneys general, including Illinois Attorney General Lisa Madigan, have launched investigations into the company. In addition, the City of Chicago and Cook County filed a joint lawsuit against Uber on November 27, 2017, alleging that the company violated several parts of the Chicago Municipal Code and Illinois law by obscuring the hack. These laws are incredibly complicated and were enacted precisely to prevent the actions that Uber took: deliberately concealing a data security breach and further endangering consumers. While paying the ransom is a contentious topic, there is no debate that Uber should have disclosed the breach to the FTC and its consumers.
Uber’s poor decision-making highlights the importance of attorney guidance. Attorneys within the cybersecurity and data privacy field can aid businesses of all types in taking preventive measures to limit the damage and liability. Although Uber is a multinational corporation, small businesses in Illinois are subject to the same regulations. Businesses throughout the state, subject to breach, regardless of size, should contact their attorneys to prevent further liability and maintain integrity.