Mere hours after Uber admitted paying hackers $100,000 to delete masses of data they stole from the company and keep quiet about it, the first lawsuit has hit.
Filed in a Los Angeles federal court, the suit states that “Uber failed to implement and maintain reasonable security procedures and practices appropriate to the nature and scope of the information compromised in the data breach,” according to Bloomberg.
This would presumably be a reference to the fact that Uber did not encrypt the data that it was storing, and that was subsequently stolen: names, email addresses and mobile phone numbers for 57 million passengers and drivers around the world, plus driver’s license details for 600,000 Uber drivers in the U.S.
The lawsuit, launched by a customer, is aiming for class-action status. Meanwhile, New York attorney general Eric Schneiderman has also launched an investigation into the incident.
Uber is lucky that the EU’s new General Data Protection Regulation (GDPR) hasn’t come into force yet, which it will in May next year.
The GDPR carries strict rules for breach notifications, and Uber would probably have broken at least three: not properly protecting the data, not telling regulators about the hack, and not informing its customers until a year later. The GDPR carries fines of up to 4% of global annual revenues for particularly egregious cases such as this one.
Nonetheless, the news of the hack and its cover-up has already caused a stir in some EU countries. The U.K. Information Commissioner’s Office said Wednesday that it is working with the National Cyber Security Centre to figure out how bad the breach was, and how many British people were affected.