Searching over 5,500,000 cases.


searching
Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

Antman v. UBER Technologies, Inc.

United States District Court, N.D. California, San Francisco Division

May 10, 2018

SASHA ANTMAN and GUSTAVE LINK, individually and on behalf of others similarly situated, Plaintiffs,
v.
UBER TECHNOLOGIES, INC. and Does 1- 50, Defendants.

          ORDER GRANTING MOTION TO DISMISS, Re: ECF No. 182

          LAUREL BEELER United States Magistrate Judge.

         INTRODUCTION

         The plaintiffs are former Uber drivers who filed this class-action lawsuit against the defendant Uber Technologies - which operates a smart-phone application connecting drivers and passengers - after an unknown hacker downloaded drivers' personally identifiable information (“PII”) from Uber's computer system in May 2014, an event that Uber disclosed in February 2015.[1] In October 2015, the court dismissed the First Amended Complaint (“FAC”) - brought only by Mr. Antman - for lack of standing. Antman v. Uber Techs., Inc., No. 3:15-cv-01175-LB, 2015 WL 6123054, at *9-12 (N.D. Cal. Oct. 19, 2015) (Antman I). In part the court's analysis turned on Mr. Antman's failure to allege injury in fact because his complaint alleged only the theft of names and driver's license numbers and - without more PII disclosed, such as Social Security or account numbers that could be accessed - there was no plausible, immediate risk of fraud or identity theft. Id. at *11.[2]

         The parties then engaged in informal discovery and tried (unsuccessfully) to mediate the dispute.[3] The plaintiffs filed their Second Amended Complaint (“SAC”), adding Mr. Link as a named plaintiff.[4] The court again dismissed the case for lack of Article III standing again because the plaintiffs did not plausibly allege any risk of immediate harm.[5] The plaintiffs filed a Third Amended Complaint (“TAC”), raising the same claims that were in the SAC: (1) failure to implement and maintain reasonable security procedures to protect the drivers' personal information and promptly notify affected drivers, in violation of Cal. Civ. Code §§ 1798.81, 1798.81.5, and 1798.82; (2) unfair, fraudulent, and unlawful business practices, in violation of California's Unfair Competition Law (“UCL”), Cal. Bus. & Prof. Code § 17200; (3) negligence; and (4) breach of implied contract.[6] The first two claims are on behalf of a California class, and the third and fourth claims are on behalf of a national class or (in the alternative) a California class.[7]

         Uber moves to dismiss for lack of standing under Federal Rule of Civil Procedure 12(b)(1) and for failure to plead plausible claims under Rule 12(b)(6).[8] The court grants the motion and dismisses the complaint with prejudice.

         STATEMENT[9]

         The named plaintiffs are Sasha Antman and Gustave Link. Both worked as Uber drivers in California.[10] They sue for Uber's failure to protect their PII “including names, driver's license numbers, banking information, Social Security Numbers, and other personal identifying information (collectively, ‘Private Information'), and for failing to provide timely and adequate notice to Plaintiffs and other Class members that their Private Information had been stolen and precisely what types of information were stolen.”[11]

         1. The Data Breach

         “Beginning in or around May 2014, a hacker or hackers utilized credentials that one or more of Defendant's employees made available via GitHub (a web-based app designed for sharing code among app developers) to access a database containing Defendant's drivers' Private Information (the ‘Data Breach'). In other words, Defendant not only permitted all of the compromised Private Information to be accessible via a single password, but allowed that password to be publicly accessible via the internet.”[12] “Defendant could have prevented this Data Breach. It appears that Defendant maintained the Private Information in unencrypted form, and that the hacker(s) were able to access it freely with a basic password.”[13]

         Uber disclosed the data breach on February 27, 2015 in a press release, set forth in whole here:

In late 2014, we identified a one-time access of an Uber database by an unauthorized third party. A small percentage of current and former Uber driver partner names and driver's license numbers were contained in the database. Immediately upon discovery we changed the access protocols for the database, removing the possibility of unauthorized access. We are notifying impacted drivers, but we have not received any reports of actual misuse of information as a result of this incident.
Uber takes seriously our responsibility to safeguard personal information, and we are sorry for any inconvenience this incident may cause. In addition, today we filed a lawsuit that will enable us to gather information to help identify and prosecute this unauthorized third party.

         Here is what we know:

• On September 17, 2014, we discovered that one of our databases could potentially have been accessed by a third party.
• Upon discovery we immediately changed the access protocols for the database and began an in-depth investigation.
• Our investigation revealed that a one-time unauthorized access to an Uber database by a third party had occurred on May 13, 2014.
• Our investigation determined the unauthorized access impacted approximately 50, 000 drivers across multiple states, which is a small percentage of current and former Uber driver partners.
• The files that were accessed contained only the name and driver's license number of some driver partners.
• To date, we have not received any reports of actual misuse of any information as a result of this incident, but we are notifying impacted drivers and recommend these individuals monitor their credit reports for fraudulent transactions or accounts.
• Uber will provide a free one-year membership of Experian' s® ProtectMyID® Alert. If impacted driver partners have questions or need an alternative to enrolling online, please call (877) 297-7780 and provide the Engagement number listed in the notification letter.
• We have also filed what is referred to as a “John Doe” lawsuit so that we are able to gather information that may lead to confirmation of the identity of the third party.[14]

         “Contrary to Defendant's representations [in the press release]: (a) the Data Breach compromised Private Information of many more than 50, 000 drivers; (b) more Private Information than drivers' license numbers and names was disclosed in the Data Breach, including Social Security Numbers and banking information; (c) there have been reports of misuse of information as a result of the Data Breach, including the allegations of this lawsuit; and (d) Defendant did not ‘take seriously' its ‘responsibility to safeguard personal information, ' nor did it take steps to ensure that the same thing would not happen again - to the contrary, it continued to allow credentials sufficient to access such Private Information to be posted on GitHub where, as Defendant was aware, those credentials could be (and would be) accessed by unauthorized parties, and it continued to fail to ensure that the Private Information in its possession could not be accessed without such credentials (for instance, by employing commonly used multi-factor authentication access protocols and encryption).”[15]

         At about the same time that it issued the press release, Uber issued notifications to victims of the data breach (including both named plaintiffs) with substantially the same information and informing them that their names and driver's license numbers were disclosed in the data breach.[16]

         In August 2016 (after the court's October 2015 order dismissing the FAC), Uber “issued more notifications to victims of the Data Breach informing them that additional Private Information was disclosed in the Data Breach (the ‘Second Breach Notification'), and offering another year of credit monitoring.”[17] “In its Second Breach Notifications, Defendant revealed that, contrary to the initial representations concerning the scope of the Data Breach in its Press Release and at the time of the Court's ruling on Defendant's motion to dismiss, additional Private Information was disclosed in the Data Breach, including banking information and Social Security Numbers, in addition to driver's license numbers and names.”[18]

         In October 2016, Uber had a second data breach, which was revealed in news reports on November 21, 2017: “the Private Information of some 57 million of Defendant's riders and drivers was accessed by hackers (the ‘2016 Data Breach').”[19] Uber paid $100, 000 to the hackers to cover up the breach instead of notifying victims.[20] “According to the news reports, the 2016 Data Breach occurred when two hackers ‘accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.'”[21] “‘GitHub said the attack did not involve a failure of its security systems. “Our recommendation is to never store access tokens, passwords, or other authentication or encryption keys in the code, ” that company said in a statement.'”[22]

         As evidence of Uber's dishonesty and efforts to impede or obstruct lawsuits and government investigations, the plaintiffs cite the Waymo v. Uber trade-secrets lawsuit (and information revealed there), Uber's operation of a “Marketplace Analytics Team” that used encrypted, self-deleting communications systems, and Uber's behavior in another lawsuit in the Southern District of New York.[23] The plaintiffs allege that Uber's representations about the scope of the data breach in its notifications and filings cannot be trusted.[24] Even if Uber's representations about the scope of the breach are true, “disclosure of the types of Private Information that Defendant admits were compromised presents a danger to victims. Information such as data breach victims' names, birth dates, email addresses, and other identifying information alone creates a material risk of identity theft. Identity thieves can use such Private Information to locate additional Private Information, such as financial information and Social Security Numbers, and use the combined information to perpetrate fraud such as, for instance, opening new financial accounts in victims' names, or filing false tax returns in victims' names and collecting the tax refunds.”[25]

         The plaintiffs want discovery to permit their expert to examine the forensic data and to find a suitable class representative (apparently because the named plaintiffs do not allege that their Social Security numbers were disclosed).[26]

         2. Harm to the Named Plaintiffs

         Mr. Antman worked as an Uber driver in San Francisco, California, “receiving his last payment for such services in or around September 2013.”[27] Mr. Antman “received a First Breach Notification from Defendant in or around March 2015, notifying him for the first time that his Private Information was disclosed in the Data Breach, even though he no longer was working as an Uber driver at the time of the Data Breach.”[28] The notice is attached as Exhibit A to the TAC, tracks the information in the press release (summarized above), and notified Mr. Antman that someone accessed one of Uber's databases once on May 13, 2014 and that the database had Mr. Antman's name and driver's license number.[29] Mr. Antman “also received a Second Breach Notification in or around August 26, 2016, via email, notifying him that, in fact, more of his Private Information was disclosed in the Data Breach than was referenced in the First Breach Notification, including his banking information.”[30] The notice is attached as Exhibit B to the TAC and notifies Mr. Antman that - among other things - his “name, bank account and routing number were contained in the database.”[31]

         “On or around June 2, 2014, an unknown and unauthorized person used Plaintiff Antman's Private Information to apply for a credit card with Capital One, which now appears on [his] credit report.”[32] “Plaintiff Antman spent significant time attempting to file a police report concerning this fraud, and working with banks and credit bureaus to secure his financial accounts against additional attempts to commit fraud against him, including by placing fraud alerts and freezes on his credit file. He subsequently experienced difficulty in obtaining new credit, obtaining financing for the purchase of a home, and noticed a stark decrease in the number of offers he receives for credit.”[33]

         Mr. Link worked as an Uber driver in the San Francisco Bay Area from approximately August 2012 until January 2015.[34] He “received a First Breach Notification from Defendant in or around March 2015, notifying him for the first time that his Private Information was disclosed in the Data Breach.”[35] “In August 2015, after the Data Breach, the IRS rejected Plaintiff Link's tax filing for the December 31, 2014 tax period. Mr. Link learned this was the result of fraud, which occurred when someone used his PII to file a fraudulent tax return in his name, and to collect his tax refund, all before Plaintiff Link attempted to file his taxes. As a result, Plaintiff Link was forced to re-file his taxes and wait over eight months to receive his 2014 tax refund.”[36]

Plaintiffs' investigation has revealed, and on that basis they are informed and believe, that following the Data Breach both Plaintiffs' Private Information, including their Social Security Numbers, have been made available for sale on the “dark web.” Neither Plaintiff has received notification that similar information has been disclosed as a result of some other data breach.[37]

         Uber's breach notifications to Mr. Antman and Mr. Link did not “include[] any explanation for the long delay in their issuance, or indicate that the delay was due to any law enforcement investigation.”[38] “In addition, Plaintiffs spent significant time addressing the Data Breach (see, e.g., ECF No. 30-1, Declaration of Sasha Antman).”[39]

         3. Harm to Class Members

         “Plaintiffs and other Class Members suffered injuries including but not limited to time and expenses related to monitoring their financial accounts for fraudulent activity, an increased, imminent risk of fraud and identity theft, invasion of their privacy, and loss of value of their Private Information.”[40] “Furthermore, Plaintiffs and other Class members were injured because they did not receive the benefit of the bargain entailed in the implied contracts between Plaintiffs and Defendant concerning security of their Private Information.”[41]

         The next section of the complaint is titled “The Stolen Private Information Is Valuable to Hackers and Thieves and Its Disclosure Harms Class Members.”[42] It includes the following allegations about harm:

65. It is well known and the subject of many media reports that Private Information like that taken in the Data Breach at issue is highly coveted and a frequent target of hackers.
66. Legitimate organizations and the criminal underground alike recognize the value in such Private Information. Otherwise, they wouldn't pay for it or aggressively seek it.
67. “Increasingly, criminals are using biographical data gained from multiple sources to perpetrate more and larger thefts.” Verizon 2014 PCI Compliance Report [link to report omitted].
70. The information compromised, including Class members' identifying information, is “as good as gold” to identity thieves, in the words of the Federal Trade Commission (“FTC”). . . .
71. The exposure of Plaintiffs' and Class members' Social Security numbers in particular poses serious problems. Criminals frequently use Social Security numbers to create false bank accounts, file fraudulent tax returns, and incur credit in the victim's name. Neal O'Farrell, a security and identity theft expert for Credit Sesame calls a Social Security number “your secret sauce, ” that is “as good as your DNA to hackers.” [Citation omitted.] Even where data breach victims obtain a new Social Security number, the Social Security Administration warns “that a new number probably will not solve all [] problems . . . and will not guarantee [] a fresh start.” [Citation omitted.] In fact, “[f]or some victims of identity theft, a new number actually creates new problems.” One of those new problems is that a new Social Security number will have a completely blank credit history, making it difficult to get credit for a few years unless it is linked to the old compromised number.
73. As the FTC recognizes, once identity thieves have Private Information, they can drain your bank account, run up your credit cards, open new utility accounts, or get medical treatment on your health insurance.” [Citation omitted.] .
76. There may be a time lag between when harm occurs versus when it is discovered, and also between when Private Information is stolen and when it is used. According to the U.S. Government Accountability Office (“GAO”), which conducted a study regarding data breaches:
[L]aw enforcement officials told us that in some cases, stolen data may be held for up to a year or more before being used to commit identity theft. Further, once stolen data have been sold or posted on the Web, fraudulent use of that information may continue for years. As a result, studies that attempt to measure the harm resulting from data breaches cannot necessarily rule out all future harm. [Citation omitted.]
77. Plaintiffs and Class members now face years of constant surveillance of their financial and personal records, monitoring, and loss of rights. The Class is incurring and will continue to incur such damages in addition to any fraudulent credit and debit card charges that may be incurred by them and the resulting loss of use of their credit and access to ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.