Pennsylvania Attorney General Josh Shapiro on Monday filed a lawsuit against Uber Technologies, Inc. for what he termed the violation of Pennsylvania’s data breach notification law.

According to Shapiro, Uber knew for more than a year that a data breach potentially impacting 57 million passengers and drivers around the world had happened – but the company failed to disclose the breach until last November.

“Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach,” Shapiro said. “Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year – and actually paid the hackers to delete the data and stay quiet.”

The lawsuit alleges Uber violated the Pennsylvania Breach of Personal Information Notification Act, which requires notice to persons impacted by a data breach within a “reasonable” time frame.

The suit represents the first time Attorney General Shapiro is suing under that statute on consumers’ behalf. Under the law, the Attorney General’s office may seek remedies of up to $1,000 for each violation. With at least 13,500 Uber drivers impacted by the breach, the Attorney General’s legal team can seek civil penalties as high as $13.5 million from Uber.

READ:  UK Government Issues Cybersecurity Guidance for Autonomous Vehicles

At least 13,500 Pennsylvania Uber drivers were impacted by the 2016 breach. Their first and last names and their drivers’ license numbers were stolen by hackers. Under Pennsylvania’s data breach notification law, Uber was required to notify impacted persons of the breach within a reasonable time frame, but the company failed its duty to do so.

A second claim in the lawsuit against Uber alleges the company’s conduct violated the Pennsylvania Unfair Trade Practices and Consumer Protection Law.

As many as 43 state Attorneys General have been investigating this data breach.

Pennsylvania drivers impacted by the Uber breach finally began receiving notice from the company of the breach beginning last November – more than a year after the breach occurred.

Attorney General Shapiro encouraged any Pennsylvanian who believes he or she may have been impacted by the Uber breach to file a complaint with his Bureau of Consumer Protection.

“We want to hear from you,” Attorney General Shapiro said. “Call my Bureau of Consumer Protection at 1-800-441-2555 or email us at scams@attorneygeneral.gov. Call me. We’re standing up to this company, and we need to know if you’ve been harmed.”