SAN FRANCISCO (CN) – A federal judge indicated Thursday she would toss a nearly three-year-old class action accusing Uber of failing to protect drivers’ private information, but encouraged the parties to reinitiate settlement negotiations.
U.S. Magistrate Judge Laurel Beeler seemed to tentatively grant Uber’s motion to dismiss the case for lack of standing, because the plaintiffs had not shown their social security numbers were disclosed in a 2014 hack of Uber’s database containing driver information.
“It’s not there. It’s just not what you think it is,” Beeler said during a hearing in downtown San Francisco. “It really isn’t enough to allege a case.”
Former Uber driver Sasha Antman sued the ride-hailing company in March 2015, claiming it failed to secure his personal information in the attack and took too long to notify drivers their information had been stolen. The attack led to an attempted theft of his identity when someone applied for a Capital One credit card in his name, he claims.
Gustave Link, a second ex-driver added to the lawsuit this past July, claims the Internal Revenue Service rejected his 2014 tax return because someone used his stolen information to file a fraudulent return in his name and to collect his tax refund.
The May 2014 data breach gave an unknown entity access to the personal information of roughly 50,000 drivers, according to a statement issued by Uber almost a year later. Gibson, Dunn & Crutcher attorney Michael Wong, representing Uber, said in court Thursday the company believes a competitor hacked its database, not an identity thief. He declined to name the competitor, but Uber has in the past blamed Lyft for the breach.
Beeler dismissed Antman’s first amended complaint in December 2015 for lack of standing, because Antman had only claimed the theft of driver names and license numbers. The judge concluded that without a hack of higher-stakes information such as social security numbers, there was no “obvious, credible risk” of identity theft that risked “real, immediate injury.”
Wong repeated that finding on Thursday, arguing the plaintiffs had not shown harm in their second amended complaint.
Antman had again failed to show his social security number had been stolen, Wong said, or that the information the hacker did get was used to apply for the credit card – which would have required Antman’s social security number. And Link had not shown his information was even in the hacked database, Uber added in a brief.
“Although we have conceded that there was a small number of other drivers’ social security numbers in the database, there are no allegations that these drivers’ numbers were in it,” Wong said.
Antman and Link had their identities stolen using their social security numbers, and neither has been notified that the numbers were stolen in any other data breach, according to the complaint.
Theodore Maya, an attorney with Ahdoot & Wolfson who represents the plaintiffs, countered that his clients had in fact shown direct harm. He noted Uber acknowledged after Beeler dismissed the complaint that drivers’ social security numbers had been taken – after initially announcing that the database contained only names and license numbers – and that Uber had refused to tell Antman whether his social security number was one of them.
“What they said to Mr. Antman was, ‘Your banking information was disclosed.’ What does that mean? I use my social security number in connection with banking,” Maya said.
Maya asked Beeler for permission to examine Uber’s database to determine what banking information was stolen. But Beeler said she did not believe the plaintiffs would find anything more than what Uber had already told them, and instead suggested the parties revisit settlement discussions over the next two weeks.
“I don’t want to let Uber off the hook entirely,” Beeler said in pushing for settlement. “You do have some responsibility to your drivers. I know you engaged in the settlement process in good faith, and it’s just sort of a shame that you’re here.”