Mayor Rahm Emanuel and Cook County State’s Attorney Kimberly M. Foxx announced that they are filing a consumer fraud lawsuit against Uber Technologies, Inc. (“Uber”) over its failure to adequately protect the data of its customers and drivers, which resulted in a massive 2016 data breach that exposed personal data of over 57 million Uber users and drivers, and its subsequent year-long failure to disclose that breach to authorities or to the public as required by law.
City of Chicago Corporation Counsel Ed Siskel and State’s Attorney Foxx, on behalf of the People of the State of Illinois, filed the complaint in the Chancery Division of the Circuit Court of Cook County. The complaint raises several claims under the Illinois Consumer Fraud and Deceptive Business Practices Act and the Chicago Municipal Code, stemming from Uber’s failure to adequately protect its data and actively concealing the breach once it occurred.
“Not only did Uber allow a massive data breach that exposed the personal information of millions of drivers and passengers, they brazenly attempted to conceal this information from the public,” said Mayor Emanuel. “The City of Chicago will not tolerate these kinds of irresponsible practices, which is why we are taking legal action to hold Uber accountable for their reckless actions.”
“We filed this lawsuit because Uber must be held accountable for its actions which have made its customers vulnerable to identity theft, fraud, and other abuse,” said State’s Attorney Foxx. “Consumers expect and deserve protection from disclosure of their personal information. I am committed to ensuring that those who don’t follow these laws cannot simply sweep it under the rug.”
According to the complaint, Uber experienced a smaller data breach in 2014 that resulted from posting a database containing identifying information to the software development platform GitHub, which was subsequently accessed by hackers. After the 2014 breach, Uber agreed to make significant updates to its security practices to meet industry standards, but failed to do so. That failure allowed for the 2016 breach that is the subject of this lawsuit, in which hackers again were able to obtain vast amounts of personal information about millions of consumers and Uber drivers through improperly-secured Uber databases posted to GitHub.
“Companies cannot be permitted to violate the law by failing to safeguard personal information and then covering it up, preventing those impacted from taking steps to protect themselves,” said City of Chicago Corporation Counsel Ed Siskel. “We are again protecting our residents while putting companies on notice that they need to take the proper precautions with sensitive information.”
The complaint further alleges that Uber violated State and municipal law when for a year it failed to disclose the data breach, as it was required to do by law. Uber became aware in November 2016 that criminal hackers had obtained the information, but rather than disclosing it instead made a substantial payment to the hackers in exchange for an agreement to “destroy” the improperly-obtained data. This payment was disguised as part of Uber’s “bug bounty” payment program, in an effort to conceal the breach and subsequent payoff.