A consumer fraud lawsuit against Uber on behalf of the people of Illinois and the city of Chicago was announced Monday by Mayor Rahm Emanuel and Cook County State’s Attorney Kim Foxx citing the rideshare company’s “year-long failure” to disclose a massive 2016 data breach that impacted 57 million drivers and users.
The complaint raises several claims under the Illinois Consumer Fraud and Deceptive Business Practices Act and the Chicago Municipal Code, stemming from Uber’s failure to adequately protect its data and actively concealing the breach once it occurred, a press release from the city of Chicago says.
"Not only did Uber allow a massive data breach that exposed the personal information of millions of drivers and passengers, they brazenly attempted to conceal this information from the public," Emanuel said in a statement. "The City of Chicago will not tolerate these kinds of irresponsible practices, which is why we are taking legal action to hold Uber accountable for their reckless actions."
Chicago Corporation Counsel Ed Siskel and Foxx filed the complaint in the Chancery Division of the Circuit Court of Cook County.
“We filed this lawsuit because Uber must be held accountable for its actions which have made its customers vulnerable to identity theft, fraud, and other abuse,” Foxx said in a statement. “Consumers expect and deserve protection from disclosure of their personal information. I am committed to ensuring that those who don’t follow these laws cannot simply sweep it under the rug.”
Citing the complaint, the city alleges Uber experienced a smaller data breach in 2014 that resulted from posting a database containing identifying information to the software development platform GitHub, which was subsequently accessed by hackers. After the 2014 breach, the city says, Uber agreed to make significant updates to its security practices to meet industry standards, but failed to do so. That failure allowed for the 2016 breach that is the subject of this lawsuit, in which hackers again were able to obtain vast amounts of personal information about millions of consumers and Uber drivers through improperly-secured Uber databases posted to GitHub.
“Companies cannot be permitted to violate the law by failing to safeguard personal information and then covering it up, preventing those impacted from taking steps to protect themselves,” Siskel said in a statement. “We are again protecting our residents while putting companies on notice that they need to take the proper precautions with sensitive information.”
The complaint further alleges that Uber violated State and municipal law when for a year it failed to disclose the data breach, as it was required to do by law. Uber became aware in November 2016 that criminal hackers had obtained the information, but rather than disclosing it instead made a substantial payment to the hackers in exchange for an agreement to “destroy” the improperly-obtained data, the city said. This payment was disguised as part of Uber’s “bug bounty” payment program, in an effort to conceal the breach and subsequent payoff, according to the press release.
The lawsuit seeks civil penalties and fines under the Illinois Consumer Fraud and Deceptive Business Practices Act and the Chicago Municipal Code.
Chicago and Cook County will be jointly represented by the outside law firm Edelson PC.
Edelson will be working on a contingency basis and its fees will be paid from any damages generated by this lawsuit.
A spokesperson for Uber said the company takes the lawsuit "very seriously" and would be happy to answer any questions regulators may have.
"We are committed to changing the way we do business, putting integrity at the core of every decision we make, and working hard to re-gain the trust of consumers," they said.