After second hacking scandal, second city joins wave of new suits

Origin Story

If the first Uber data breach was epic, there may not be a word for the second.

Back in 2014, an Uber employee left his login information on a highly trafficked software development platform, but failed to protect or encrypt the information. As a result, hackers identified the information and used it to access more than 100,000 names and driver's license numbers – this in spite of a number of public assurances that the company made regarding its data security.

It was a bush-league mistake by a sole employee, but the company promised regulators it would review and strengthen its data security program by, in part, adopting multifactor authentication of user credentials and engaging in ongoing monitoring by security specialists.

But by August 2017, the company was in the crosshairs of a Federal Trade Commission (FTC) investigation that accused it of failing to follow up on its security promises – making mistakes such as letting all engineers access cloud-based storage with a single password, storing sensitive information in unencrypted text and failing to require multifactor authentication.

The company settled with the FTC, promising to "put a comprehensive privacy program in place and to get independent third-party audits every two years for the next 20 years."

Üps They Did It Again

In October 2016, Uber was approached by two hackers who told the company they had breached its security and stolen a trove of personal information. They had, apparently, accessed the data by hacking a database on the same highly trafficked software development platform that had been breached in 2014, and uncovering login information.

The difference? They used the credentials to steal the records of millions of people – including the full names and driver's license information of 600,000 Uber drivers in the United States, and the names, phone numbers and email addresses of 57 million Uber users.

But it kept getting worse. The breach was not revealed until November 2017, when, as part of an internal investigation by the Uber board, a complicated cover-up was revealed. Press accounts described how Uber had paid the hackers $100,000 to delete the data and conceal the breach, and then entered nondisclosure agreements with the pair, threatening legal recourse if they ever discussed the crime.

The city of Chicago has launched a The city of Chicago has launched a complaint against the company, charging it with violations of the city's municipal code, the Illinois' Personal Information Protection Act, and the Illinois Consumer Fraud and Deceptive Business Practices Act – including failure to safeguard personal information, failure to give prompt notice of a data breach, concealment of the breach and deceptive public statements about data protection. against the company, charging it with violations of the city's municipal code, the Illinois' Personal Information Protection Act, and the Illinois Consumer Fraud and Deceptive Business Practices Act – including failure to safeguard personal information, failure to give prompt notice of a data breach, concealment of the breach and deceptive public statements about data protection.

Among other relief, the city seeks $10,000 in fines for each day a violation of its ordinance existed.

The suit, which sources say is the first case brought by a municipality in the 2016 breach, joins a number of state-level investigations into the matter, as well as class action lawsuits on behalf of users who claim to have suffered identity theft because of it.

The Takeaway

When a security incident is suspected, it is essential that companies move quickly to identify, contain, assess, communicate about and remediate the issue. This may include mandatory reporting to data subjects and government agencies. Most states have breach notification laws, although they differ materially. Download the 2017 BakerHostetler Data Security Incident Response Report, which provides insights and statistics drawn from over 200 incidents we helped clients respond to in 2016 and for more information on how to prevent, prepare for and respond to security incidents.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.