In the wake of a major data breach, ridehailing company Uber, already facing a class action complaint from customers who say the company’s workplace culture allowed improper access to rider information, must now also face a lawsuit brought by the city of Chicago and Cook County, leveling much the same allegations and receiving aid from a Chicago trial lawyer renowned for routinely suing tech companies.
Ten named plaintiffs filed a class action complaint Nov. 22 in Chicago federal court saying upper and lower level Uber employees — as well as those interviewing for jobs — had “access to sensitive and private rider data.” They say the company violated the Wiretap Act, Stored Communications Act and Computer Fraud and Abuse Act, as well as various state and common laws, in the way it captures, collects, stores and safeguards rider data. It comes at the same time as similar actions from multiple attorneys general and ongoing federal probes.
The complaint, filed by attorneys with the Sulaiman Law Group Ltd., of suburban Lombard, restated the known facts of the data breach that was revealed earlier this month, more than a year after it occurred in October 2016. In that breach, hackers allegedly accessed names, email addresses and phone numbers of 50 million Uber passengers around the world, as well as personal information of 7 million drivers, including 600,000 American drivers license numbers.
The complaint also faulted Uber for allegedly paying $100,000 to “hackers who allegedly promised to delete hacked rider and driver data and keep quiet about the data breach.”
In addition to Uber Technologies, Inc., and its parent, Rasier, LLC, named defendants include co-founder Travis Kalanick, CEO Dara Khosrowshahi and former chief legal counsel Salle Eun Yoo. Also named are Katherine M. Tassi, who was Uber’s managing counsel of data privacy from August 2014 to October 2016, and Sabrina Ross, who held the same title and started with Uber in May 2015. The complaint also named Joe Sullivan, who as Uber’s chief information security officer “spearheaded the 2016 data breach investigation,” and John Flynn, also an Uber chief information security officer, as well as anonymous Uber employees, and Apple, Inc., and its CEO Tim Cook.
As one example, the plaintiffs said “Uber’s warped culture has led Uber employees to analyze rider data to hypothesize whether riders have used the Uber app to drive to and return from sexual encounters.” They said the company has a history of data security concerns, including failure to make timely disclosure of breach events and firing Ward Spangenberg, a forensic investigator who raised concerns about internal security measures and now is embroiled in a wrongful termination suit.
The complaint further alleged “Uber’s ‘Privacy Policy’ is purposely confusing, vague and open ended,” including failing to include an adequate definition of “legitimate business interests” that would allow employees to access private rider data. It said the defendants drafted and approved the policy, using “obtuse legal mumbo-jumbo, which amount to nothing more than corporate double-speak platitudes,” to provide a false sense of security.
Although the plaintiffs accused Uber of circumventing Apple’s protocols governing data collection by application developers, Apple and Cook are included as defendants because, the plaintiffs said, the company “appears to have obtained unprecedented permission from Apple to capture screen data’ using hidden code that allowed collection even when the Uber app was running in the background. They said Uber repeatedly violated Apple’s terms of service for app developers, yet was not expelled from its developer program.
In addition to class certification and a jury trial, the plaintiffs seek damages, injunctive and equitable relief.
The private class action was followed on Nov. 27 by a lawsuit filed by Chicago City Hall and Cook County State’s Attorney Kim Foxx against Uber.
The lawsuit was purportedly filed in Cook County Circuit Court on behalf of all residents of Chicago and Illinois whose personal information may have been compromised in the October 2016 hack.
It specifically faults Uber for allowing hackers to access that data on its servers using almost exactly the same tactics that allowed them to obtain Uber users’ data two years earlier – revealing Uber had not either put in place safety measures or had not enforced them sufficiently to remedy the problems revealed in the initial hack.
In addition to city attorneys and county state’s attorneys, the complaint notes the city and county have also added attorney Jay Edelson, of Chicago-based Edelson P.C., to serve as assistant city corporation counsel and as a special assistant state’s attorney on this case.
Edelson has gained notoriety in recent years for his firm’s work to spearhead numerous class action lawsuits against a number of companies, and tech companies in particular.
In their lawsuit, the city and county allege Uber’s handling of the data breach, and its failure to notify its users of the breach, violated city ordinances and Illinois consumer fraud law.
The lawsuit asks the court to order Uber to pay fines under the city ordinances $10,000 per violation per day, as well as fines under the state law of up to $50,000 per violation.