The city of Chicago has filed a lawsuit against Uber for failing to disclose a 2016 data breach that affected 57 million of its users.
The lawsuit comes just days after the Illinois attorney general’s office told Recode that it was opening an investigation into the company.
In addition to failing to notify users and the public about the information that was exposed, the company paid the hackers $100,000 to delete the data and subsequently had them sign nondisclosure agreements. The city further alleges that the ride-hail company failed to correct security vulnerabilities that led to a previous data breach in 2014.
The complaint reads:
“After the details of Uber’s May 12, 2014 data breach were revealed to the public, Uber was investigated by a number of state and federal regulators that were concerned about its inadequate data security practices. Uber ultimately promised to bolster its data security policies by, inter alia, adopting protective technologies for the storage, access, and transfer of private information … less than a year later the same failures led to a breach that was one thousand times worse.”
The city, which is also suing Uber on behalf of Illinois residents, is asking for a series of monetary damages in addition to a jury trial. The city has asked that a judge fine Uber $10,000 a day for each day that it violated the state’s ordinance on public information disclosure.
The city is also asking for the court to levy a $50,000 fine against the company for violating the Illinois Consumer Fraud Act.
In addition to Illinois, at least four other states — Massachusetts, Missouri, New York and Connecticut — told Recode that they would investigate the matter, after Uber revealed that the intrusion exposed names, addresses and driver’s license numbers in some cases.
Additionally, the company is facing a series of questions from the U.S. Congress over why it took so long to disclose the hack. Some of those lawmakers asked for a full timeline of what the company discovered about the breach.
Others, like Democratic Sen. Mark Warner, who sent his own letter to Uber on Monday, asked Uber how it managed to find the hackers in the first place. Given Uber’s “past pattern of conduct,” Warner wondered if the company tried to “hack back” the hackers, which is illegal under federal law.
Update: An Uber spokesperson responded to our request for comment: “We take this matter very seriously and we are happy to answer any questions regulators may have. We are committed to changing the way we do business, putting integrity at the core of every decision we make, and working hard to re-gain the trust of consumers.”