Numerous federal and state agencies on Wednesday announced they’ve launched inquiries into Uber, one day after the ride-hailing company acknowledged it paid hackers $100,000 in hush money last year to keep quiet about a massive data breach affecting 57 million customers and drivers.
In addition to fielding inquiries from the U.S. Federal Trade Commission (FTC), attorneys general in at least five states say they’re investigating the hack.
So far, the list includes Connecticut, Illinois, Massachusetts, Missouri and New York, but it’s likely to grow given that all but two states have laws requiring affected individuals be notified in the event of a security breach.
Sen. Richard Blumenthal (D-Conn.) called out Uber on Twitter Wednesday, describing the company’s decision making as “inexplicable” and “corporate malfeasance.”
A disgruntled customer has also filed suit against Uber in Los Angeles, seeking class action status on behalf of all those affected.
Authorities in Australia, Britain and the Philippines are also investigating the incident.
The U.K.’s Information Commissioners Office, which helps oversee individual data privacy in the country, said in a statement Wednesday it informed Uber of its noncompliance and warned the company to expect fines.
British law sets an upper limit for failing to notify users of a data breach at 500,000 pounds (roughly $662,000), Reuters reports, but the ICO statement seemed to hint that more might be possible.
“It’s always the company’s responsibility to identify when U.K. citizens have been affected as part of a data breach and take steps to reduce any harm to consumers,” said James Dipple-Johnstone, ICO deputy commissioner. “Deliberately concealing breaches from regulators and citizens could attract higher fines for companies.”