The city of Chicago has sued ride-hailing company Uber over revelations that the company attempted to cover up a 2016 data breach that exposed personal information of 57 million people.
"Uber willfully and intentionally exposed many Chicago and Illinois residents to the risks of identity theft and financial fraud, tax return scams, and other potential harm," Cook County attorneys write in a complaint filed Monday in state court in Illinois.
The suit comes several days after it came to light that Uber suffered a data breach in October 2016 that resulted in the theft of email addresses and phone numbers of around 50 million customers and 7 million drivers, and driver's license numbers for 600,000 people. Uber then allegedly paid hackers $100,000 to destroy the information.
The company, which was under investigation by the Federal Trade Commission at the time of the data breach, didn't disclose the incident until last week. Since then, various regulators have announced investigations of the company, and lawyers for consumers have brought potential class-action complaints.
The Chicago authorities allege that Uber violated various Illinois laws, including a state law requiring companies to notify people about data breaches. The city is seeking fines of at least $10,000 a day for each day Uber allegedly concealed the breach.
The complaint in Chicago alleges that Uber should have beefed up its security after suffering a prior data breach in 2014, and that the company violated state law by failing to inform residents about the data breach.
"Using a relatively low-level attack, hackers were able to access Uber's massive trove of user data stored on a third-party cloud service, by exploiting virtually the same security flaw attackers used nearly a year prior to breach its systems," the complaint alleges. "Rather than face further backlash and lose more customers and drivers, Uber opted to cover up the breach."
The complaint adds that any promise by the hackers to delete the data was "meaningless."
"Criminal hackers couldn't possibly be trusted to protect user data," the complaint alleges.
The city tapped privacy lawyer Jay Edelson to serve as special prosecuting counsel in the matter. Edelson has brought privacy complaints against numerous Silicon Valley companies, including Amazon, Google, Facebook and Apple.