Pennsylvania Attorney General Josh Shapiro [official website] on Monday filed a lawsuit [complaint, PDF] against Uber [official website] for violating the state’s Breach of Personal Information Notification Act [text].

“Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach,” said Shapiro [official press release]. “Uber hid the incident for over a year – and actually paid the hackers to delete the data and stay quiet.”

The breach in question occurred in October 2016. Uber withheld the breach [NYT report] from the public for over a year until finally admitting to the security failure [press release] in November 2017.

The 2016 breach affected 57 million driver and rider accounts, which included roughly 25 million American users and 4.1 million American drivers. The hackers gained access to the names, emails, and phone numbers of those accounts. The suit alleges that the most significant breach occurred for a subset of 600,000 Uber drivers, including at least 13,500 Pennsylvania citizens, who had their US driver’s license numbers exposed. The complaint treats each of Uber’s failure to notify an affected driver as a separate violation, allowing Shapiro pursue civil penalties of $1,000 to 3,000 for each violation depending on the consumer’s age. Thus, the first suit filed under Pennsylvania’s breach notification law since its enactment in 2005 carries a potential fine of at least $13.5 million.

Additionally, Uber is accused based on its actions surrounding the breach of “fraudulent or deceptive conduct which creates a likelihood of confusion or misunderstanding” under Pennsylvania’s Unfair Trade Practices and Consumer Protection Law [text].

Uber spokesman Craig Ewer issued[PennLive report] the following statement:

“While we make no excuses for the previous failure to disclose the data breach, Uber’s new leadership has taken a series of steps to be accountable and respond responsibly. We investigated the incident, disclosed the circumstances to state and federal regulators, and reached out to state Attorneys General, including Attorney General Shapiro, to express Uber’s desire to cooperate fully with any investigations. While we dispute the accuracy of some of the characterizations in the Pennsylvania Attorney General’s lawsuit, we will continue to cooperate with them and ask only that we be treated fairly.”

At least 43 other state attorneys general have been investigating this data breach.