After Uber revealed that it paid hackers $100,000 to keep quiet about stealing the personal information of 57 million customers and drivers, the company is now facing at least three potential class-action lawsuits and separate investigations by the attorneys general of New York, Missouri, Massachusetts, Connecticut, and Illinois.
The company said it also has been in contact with the Federal Trade Commission.
The legal action against Uber comes as the beleaguered ride hailing company is still reeling from high-profile sexual harassment complaints and ongoing federal probes of possible bribery, theft of trade secrets, and discriminatory pricing.
Uber waited more than a year to disclose the massive data breach. Hackers accessed the names, email addresses and phone numbers of millions of passengers, and about 600,000 drivers had their license numbers compromised.
Adding to concerns about the sizable delay in notifying the public, elected officials and security experts are scrutinizing Uber's decision to pay a ransom to the hackers in exchange for deleting the stolen data and keeping the incident secret.
Since Uber first disclosed the data breach earlier this week, five attorneys general have launched investigations into the company. “We have serious concerns about the reported conduct,” said Massachusetts Attorney General Maura Healey in a statement.
Beyond Healey's probe, attorneys general Eric Schneiderman of New York, Lisa Madigan of Illinois and George Jepsen of Connecticut are also looking into the matter. Though these three have not revealed the exact nature of their investigations, many state laws require that companies notify customers when their data has been stolen. Josh Hawley of Missouri, another state attorney general who has opened an investigation into Uber, recently also announced a probe into Google's handling of consumer data and potential anti-competitive behavior as a dominant search engine.
The Uber data breach has also prompted individual customers to action. Plaintiffs have filed three separate lawsuits in California and Oregon that allege Uber was negligent in its failure to protect consumer data.
The suits also claim that consumers were harmed by having their data compromised without being notified in a timely manner. In each case, the plaintiffs are seeking to sue Uber as part of a class action.
“None of this should have happened, and I will not make excuses for it,” said Uber Chief Executive Dara Khosroshahi in a blog post earlier this week detailing the data breach. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.” The two individuals who led the company's response to the data breach have been removed, he said.
In response to the investigations, an Uber spokesman said in a statement Friday, “We've been in touch with several Attorney General Offices and the [Federal Trade Commission] to discuss this issue, and we stand ready to cooperate with them going forward.”
A spokesman for the FTC told The Washington Post in a statement, “We are aware of press reports describing a breach in late 2016 at Uber and Uber officials’ actions after that breach. We are closely evaluating the serious issues raised.” As the nation's top consumer privacy watchdog, the FTC can take law enforcement action against companies to ensure that they live up to their privacy and security promises. The commission has previously gone after businesses that have misled consumers by failing to safeguard sensitive information.