Our website uses marketingcookies to promote claims and find claimants. By clicking 'Ok' you agree to our use of marketingcookies. By clicking 'Cookies' at the bottom right, you will undo your permission. Read more in our cookie statement.
In October 2016 personal data of 57 million Uber customers around the world were stolen as a result of a data breach at Uber. Uber subsequently failed to disclose the breach for more than a year. This is a clear violation of privacy rules. Uber users outside the USA and China with an Uber account registered before July 2015 are eligible to claim compensation. We claim €250 per user.
In October 2016 personal data of 57 million Uber users around the world were stolen by a computer hacker. Despite the legal obligation to provide for reasonable security while processing data and the obligation to report data breaches, Uber failed to disclose the data breach for more than a year. Uber users (riders and drivers) outside the USA and China that had their Uber account registered before July 2015 are eligible to participate in this privacy claim against Uber. They can sign up for free (no cure no pay) by using the (short) form on this page. If a minimum number of claimants participate, we will start legal proceedings and claim €250 per account.
More information is provided below. Please download the factsheet for more extensive information.
In October 2016 taxi company Uber became aware of a large-scale data breach in its systems. Personal information of Uber drivers and riders around the world was downloaded by a computer hacker from a back up server. The stolen data included the names, email addresses and cellphone numbers of 57 million accounts around the world. In addition, driver's license numbers from 600.000 Uber drivers in the USA were compromised.
Instead of disclosing the data breach as legally required, Uber paid the hackers hush money of $ 100.000 to hide the attack. Only on the 21st of November 2017, more than a year later, Uber issued a statement acknowledging the data breach. It is unclear why Uber has kept the data breach secret for such a long period of time. The data breach occurred in the midst of a nonpublic investigation by the FTC.
How did Uber act wrongfully?
The allegations are threefold:
1. The data breach is an infringement of your privacy. 2. Uber violated privacy regulations to secure personal data properly. In short: European privacy law requires an adequate level of security. These requirements have not been met. 3. Uber violated privacy regulations by keeping the data breach silent to the affected parties and the relevant privacy authorities.
Uber has admitted that she acted incorrectly by not disclosing the data breach. An FTC investigation showed that the personal data could relatively easy be accessed despite previous privacy violations (in 2014) and despite promises on implementing extra security measures, as previously announced by Uber.
Why is it harmful?
The data breach has reduced the personal security level of the affected Uber users permanently. For example, affected people become vulnerable to cyber crime and scamming like phishing emails, unwanted phone information requests, text spam (sms-ting), etc. Alarming is that personal information from other hacks can be combined and/or accumulated so hackers can access even more personal information which can eventually lead to identity theft and other cybercrimes.
In addition, victims are deliberately not informed of the fact that their data had been stolen. As a result, the opportunity to take security measures (for example change their passwords or to be extra alert to irregularities) was taken away from them.
Which damages will be claimed?
Which damage exactly has occurred in each individual case can hardly be traced. Therefore we will claim a fixed amount of € 250 compensation per hacked Uber-account. Once new information about the hack becomes available to us, the amount may be adjusted accordingly.
Where do we claim?
In the Netherlands. Ubers relevant activities outside the USA and China are legally carried out from the Netherlands and are governed by Dutch law. Therefore all claims outside the USA and China can be brought before the Dutch court.
The lawyer in this case is Menno Weij from law firm SOLV Advocaten. He specializes in Privacy and ICT law and is also a member of the board of the Dutch Association for Information Technology & Law.
Can I apply?
All Uber users (riders and drivers) with an Uber account before July 2015 that was registered outside the USA and China, can apply.
You can check the date of your first ride in 'Your rides' in the menu of your Uber app and scroll down to the first ride. Note that scrolling down may take some time (seconds) for the app has to download older data. If you deleted the app, you may download it again. If you don't want to do that, you may check your creditcard statements to determine the date of your first ride. Advice: take a (screenshot)picture. You may need this as evidence later.
How can I support the case?
You can support the case by sharing a message on social media or WhatsApp, for instance by using the sharing link in the picture above.
What are the conditions?
Singing up now is free of any obligation. Before the case starts, you will receive an email from us containing a link to a login account to (easily) complete your registration. Participation will be free of charge, you will give up maximum 20% of the (net) recovery. If there is no recovery, you will not have to pay anything (no cure no pay). If it turns out that your personal data were for any reason not among the stolen data, you will not be entitled to receive compensation.
We may have to ask for one or more screenshots from first or past rides (before July 2015) and your account details. Hence, if you look up the data of your first ride, a screenshot might come in handy in due time.
Please note that this is a collective claim and therefore personal circumstances will not be taken into account. If you think you have suffered more damages, for example because your creditcard was debited unauthorized as a result of the data breach, please be aware that you can no longer claim these damages if you participate in this claim. If you participate, you will settle for the (collective) result we achieve for you.
Further information will follow soon.
What is the purpose of this legal action?
The Dutch Data Protection Authority (Dutch DPA) has imposed a fine of € 600.000 upon Uber. A fine does not include compensation for claimants. The first aim is to receive compensation. The broader purpose of this action is to stop Uber - and other tech giants that collect and process lots of personal information - from disregarding peoples privacy rights.
You can check the date of your first ride in 'Your rides' in the menu of your Uber app on the left side of your screen and scroll down to the first ride. Note that scrolling down may take some time (seconds) for the app has to download older data. If you deleted the app, you may download it again. If you don't want to do that, you may check your creditcard statements to determine the date of your first ride.
Open your Uber app and click on ‘Legal’ in the menu on the left side of your screen. Click on ‘Terms and Conditions’. When the first paragraph of article 1 states services made available by Uber B.V. (Mr. Treublaan 7, Amsterdam in the Netherlands), we assume you have contracted with Uber B.V. and therefore registered outside the USA and China.
It is necessary for us to know your e-mail address to be able to contact you. In addition, with the date of your first ride we are able to verify whether your Uber account was registered before July 2015. It is sufficiënt to enter a date which was not even your first ride, as long as the date of your ride concerns an existing Uber journey before July 2015. We may ask you to provide supporting evidence, so it might be useful to take a screenshot of your first ride and save it for later.
Yes you can. As long as you can prove your first ride was before July 2015.
If you deleted the app, you may download it again. If you don't want to do that or if you deleted your Uber account, you may check your creditcard statements to determine the date of your first ride. Advice: take a (screenshot)picture. You may need this as evidence later.
Yes but you can use one email address per registration. So use your business e-mail address when you register with your business Uber account and use your private e-mail address when you register with your private Uber account.
ClaimShare uses your information only for the purposes of this case. We will inform you about the status of the case. For example Before the case starts, you will receive an e-mail from us containing a link to a login account to (easily) complete your registration. Why and how we do this you can read in our Privacy Statement.
Because we are not cyber experts, we refer you to the response of Uber and advices of the National Cyber Security Center (NCSC).
Uber's response to the data breach is that no action is required. According to Uber there is no evidence of fraud or misuse of the stolen data in connection with the hack. If you suspect misuse, you are advised to set a new password. The English NCSC however, recommends to take security measures. Which ones you can read here. NCSC mentions, among other things, changing your password, being alert to phishing e-mails and calls from scammers.
The American authority FTC has determined Uber has simply failled to provide adequate secured acces to personal data. Not all data leaks are down to poor security. Moreover, the long-term concealment of such a large-scale data leak is exceptional and harmful.
It is expected that Uber will be fined for violating the law. A fine does not include compensation for claimants. The first aim is to receive compensation. Due to its high costs, claiming compensation is only of interest by starting a class action lawsuit. The broader purpose of this action is to stop Uber - and other tech giants that collect and process lots of personal information - from disregarding peoples privacy rights.