“Uber knew or should have known its security systems were inadequate.”
In the 48 hours since the explosive revelations that Uber sustained a massive data breach in 2016, two separate proposed class-action lawsuits have been filed in different federal courts across California.
The cases allege substantial negligence on Uber’s part: plaintiffs say the company failed to keep safe the data of the affected 50 million customers and 7 million drivers. Uber reportedly paid $100,000 to delete the stolen data and keep news of the breach quiet.
On Tuesday, CEO Dara Khosrowshahi wrote: “None of this should have happened, and I will not make excuses for it.”
The first case, Alejandro Flores v. Raiser, which was filed Tuesday in federal court in Los Angeles, described Uber’s conduct as “grossly negligent,” and added that the company “departed from all reasonable standards of care.” (Raiser is Uber’s subsidiary that contracts with drivers.)
Another lawsuit was submitted Wednesday in federal court in San Francisco on behalf of two people in South Carolina.
Lawyers who filed Danyelle Townsend and Ken Tew v. Uber, allege that the company should have had “administrative, physical and technical safeguards, such as intrusion detection processes that detect data breaches in a timely manner, to protect and secure Plaintiffs’ and Nationwide Class members’ [personally identifiable information].”
“Major corporations like Uber face a higher threat of security breaches than smaller companies due in part to the large amounts of data they possess,” they wrote. “Uber knew or should have known its security systems were inadequate, particularly in light of the prior data breaches that Uber had experienced, and yet Uber failed to take reasonable precautions to safeguard the PII of Plaintiffs and members of the Nationwide Class.”
The law firm which brought Townsend, Keller Rohrback, has represented numerous clients in similar data breach lawsuits, including cases involving Sony, Equifax, and more.
“By choosing not to disclose this massive data breach and attempting to mitigate the breach by paying the hackers to destroy the data, Uber has essentially rolled the dice with its customers’ and drivers’ personal identities,” Cari Campen Laufenberg, a Keller Rohrback attorney said in a statement sent to Ars.
“What’s more, it has done so for more than a year–denying these victims the crucial opportunity to take timely steps to mitigate the disclosure of their private information.”
Uber did not immediately respond to Ars’ request for comment late Wednesday evening.