Joseph Cardile, left, and Jeffrey Criswell, right, of Thomas Thomas & Hafer.

On Nov. 21, 2017, ride-sharing giant, Uber, issued a press release stating that it had fallen victim to a cyberattack in late 2016. Per the release, the names and drivers' license numbers of approximately 600,000 Uber drivers and the names and contact information of approximately 57 million Uber riders were “inappropriately accessed” by hackers from a third-party cloud-based service used by Uber. In Pennsylvania alone, at least 13,000 Uber drivers' information is believed to have been compromised. While the magnitude of the breach grabbed headlines, it was Uber's response to the breach that caught the attention of private litigants and governmental authorities.

According to a complaint filed against Uber by the city of Los Angeles, Uber paid the hackers $100,000 to destroy the stolen data, portraying the payment as a fee to test its system vulnerabilities, and required the hackers to sign nondisclosure agreements. Even more problematic, according to the city of Los Angeles, was Uber's nearly year-long delay in reporting the breach to affected stakeholders. The lawsuit, filed within two weeks of Uber's disclosure of the breach, alleges that Uber violated California law requiring companies to report cyberattacks “in the most expedient time possible” and “without unreasonable delay.” Chicago filed a similar lawsuit and a suit seeking class action status was filed in California within hours of Uber's disclosure of the breach.

The consequences for Uber have not been limited to litigation. In addition to the resignation of three senior managers from its international business operations and physical security groups, Uber is being investigated by both foreign and domestic governments, including the Pennsylvania Attorney General's Office.