When you discover that your company’s systems have been hacked, do you (a) announce it, investigate, and hope to punish those responsible, or (b) pay the hackers $100,000 to keep quiet about it? The complaint for this class action claims that Uber chose to bribe the criminals who stole customer and driver data.
The Nationwide Class for this action is all persons whose private information was disclosed in the Uber data breach of 2016. The Alabama Consumer Class is all members of the Nationwde Class who are residents of Alabama and purchased Uber services in Alabama.
On November 21, 2017, news outlets reported that Uber suffered a data breach in October 2016 that exposed the data of around 57 million customers, and that, while Uber had learned of the breach by the following month, it chose not to notify the victims and instead paid the hackers to cover it up.
According to a Bloomberg news article, the hackers got in through “a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on the Amazon Web Services account that handled computing tasks for the company. From there, hackers discovered an archive of rider and driver information.” It also said, “No Social Security numbers, credit card information, trip location details or other data were taken, Uber said.”
The complaint quotes an Uber statement as saying, “Driver information included the names, addresses and mobile phone numbers related to accounts globally. In addition, the driver’s license numbers of around 600,000 drivers in the United States were downloaded.”
However, the complaint claims that Uber’s reports about the incident cannot be trusted. It cites a previous data breach in 2014, in which Uber claimed that only driver’s license numbers and names were disclosed; yet in 2016 Uber finally admitted that other information, including banking information and Social Security numbers had been taken.
The complaint claims that people whose data was exposed are likely to become victims of identity theft at some point in the future. It cites a Javelin Strategy and Research Study saying that 16% of all Americans have been victims of identity theft as of 2016. According to the complaint, identity thieves can empty bank accounts, run up credit cards, obtain other credit cards, commit immigration fraud, file taxes and collect the victim’s refund, get medical services under the victim’s insurance, and so on.
The complaint claims that Uber failed to safeguard customers’ and drivers’ information and is therefore guilty of negligence and breach of implied contract.