Chicago Files Lawsuit Against Uber over Data Breach

The city of Chicago has filed a lawsuit against Uber following the company’s failure to report a data breach that left 57 million Uber users vulnerable for over a year.

Ars Technica reports that a lawsuit has been filed against ride-sharing app Uber by the city of Chicago relating to the company’s recently revealed data breach. The latest lawsuit filed by the city of Chicago and Cook County adds to the ten federal lawsuits taken against the company in the wake of the hack. The case brought against Uber in Illinois state court claims that the company failed to keep the personal data of their 57 million users safe, constituting substantial negligence on Uber’s part.

The lawsuit states that former Uber CEO Travis Kalanick was contacted by the hackers behind the data breach in 2016. The hackers had managed to steal the data by gaining access to a private GitHub repository used by Uber software engineers, then used database login credentials found in the repository to steal user information stored on Uber’s servers.

Chicago’s attorneys stated, “While the repository was password-protected, hackers were still able to breach it — indicating either a very weak password or the fact that the user credentials for the repository were found in a previous unrelated data breach. And even though Uber specifically promised regulators that it would use two-factor authentication on services like GitHub, it clearly failed to implement that promise. Once inside the GitHub repository, the attackers once again found AWS login credentials, which the attackers then used to access and extract the personal information of over 50 million people, including Chicago and Illinois residents.”

Under the guidance of former Uber chief security officer Joe Sullivan, the company reportedly paid the hackers $100,000 to delete the stolen user data, a claim that the city of Chicago believes is “nonsensical.” Chicago’s attorneys stated, “It has not demonstrated, in any way, how or why it knows the data was actually deleted,” they wrote. “No matter what documents the hackers signed, or representations they made, Uber is saying little more than that they trust the word of criminals.”

Similar class-action lawsuits were filed against Uber in San Francisco; Los Angeles; Allentown, Pennsylvania; Portland; and Huntsville, Alabama. On Monday, a group of senators led by Sen. John Thune (R-S.D.) and Sen. Orrin Hatch (R-Utah) demanded a “detailed timeline” of the events surrounding Uber’s hack to be submitted by December 11th.

Sen. Mark Warner (D-Va.) asked the company, “To the extent Uber had lawfully acquired information enabling it to identify the hackers who had compromised its systems, ensure they would abide by agreements to delete the data and not to disclose the breach, and transfer them $100,000, it conceivably had enough information at hand to assist law enforcement in the apprehension of these criminals.” He continued, “why did Uber choose not to provide relevant forensic information to law enforcement and has this information been provided to law enforcement in the last week?”

An Uber spokesperson sent a statement to the Chicago Tribune which reads, “We are committed to changing the way we do business, putting integrity at the core of every decision we make, and working hard to regain the trust of consumers.”