Chicago, Cook County Sue Uber Over 2016 Data Breach

CHICAGO, IL — The City of Chicago and Cook County are suing Uber Technologies over the ride service's failure to protect the personal information of more than 57 million customers and drivers during a massive 2016 data breach. The consumer fraud lawsuit, which was filed Monday in Cook County Circuit Court, also claims the San Francisco-based company didn't alert the public or authorities of the breach for a year, according to city and county officials.

“We filed this lawsuit because Uber must be held accountable for its actions which have made its customers vulnerable to identity theft, fraud, and other abuse,” Cook County State’s Attorney Kim Foxx said in a statement Monday. “Consumers expect and deserve protection from disclosure of their personal information. I am committed to ensuring that those who don’t follow these laws cannot simply sweep it under the rug.”

Last week, Uber revealed that the personal data — including email addresses, phone numbers and driver's license numbers — of around 50 million users and 7 million drivers had been stolen by hackers in a cyberattack last year. The company also revealed that it paid the hackers $100,000 to delete the information and had them sign nondisclosure agreements to keep them from disclosing the information breach to the public. Uber then hid that payment in the ride service's "bug bounty" program to further conceal the incident, according to the city and county lawsuit.

RELATED: Uber Breach Of 57M Users' Data Kept Secret For A Year

"None of this should have happened, and I will not make excuses for it," new Uber CEO Dara Khosrowshahi said in a Nov. 21 statement concerning the breach. Khosrowshahi was informed of the incident two weeks before starting the job Sept. 6, but kept it secret until Uber's official announcement.

"While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers," he added.

The complaint by the city and county claims Uber violated the Illinois Consumer Fraud and Deceptive Business Practices Act, as well as the Chicago Municipal Code, by not taking sufficient steps to protecting its data and then concealing the system hack for a year. The lawsuit is seeking civil penalties and fines, including asking the court to order Uber to pay $10,000 for every ordinance violation involving a Chicagoan and for each day the violation existed, according to the Chicago Tribune.

"Companies cannot be permitted to violate the law by failing to safeguard personal information and then covering it up, preventing those impacted from taking steps to protect themselves," City of Chicago Corporation Counsel Ed Siskel in a statement. "We are again protecting our residents while putting companies on notice that they need to take the proper precautions with sensitive information."

In 2014, Uber had a small data breach after a database with identifying information was posted on GitHub, a software development platform that was then accessed by hackers, according to the city and county lawsuit. Following that breach, the company said it would upgrade security but then didn't take those steps, the lawsuit states. That lack of follow-through led to the larger breach in 2016, the complaint contends.

Along with Monday's legal action by Chicago and Cook County, nearly a dozen federal class-action lawsuits have been filed against Uber since the company's Nov. 21 announcement about the data breach, including a suit in U.S. District Court in Chicago, according to the science and technology website Ars Technica.

"We are committed to changing the way we do business, putting integrity at the core of every decision we make, and working hard to regain the trust of consumers," Uber spokeswoman Molly Spaeth said in a statement to the Tribune.

According to Khosrowshahi, Uber's forensics experts don't believe data, such as trip location history, credit card numbers, bank account numbers, Social Security numbers and birthdates, were compromised in the breach. The company has notified drivers affected by the breach and will offer them free credit monitoring, Ars Technica reports.

Also See: Report: Uber hired hackers to cover up data breach

More via the Chciago Tribune and Ars Technica

Images via Shutterstock and Uber Technologies