Federal magistrate finds a hack of only names and driver’s licenses is not enough to sustain data breach case against Uber

Recently, a federal magistrate for the Northern District of California found that a data breach of the names and driver’s license numbers of drivers stolen from the rideshare company Uber was not enough to show a “credible risk of identity theft that risks real, immediate injury.”

In May 2014, approximately 50,000 drivers had their names and driver’s license numbers hacked from an Uber database by an unauthorized third party. In April 2015, a former Uber driver, Sasha Antman, filed a class action lawsuit against the company alleging that Uber failed “to secure and safeguard its drivers’ personally identifiable information including names, drivers[’] license numbers[] and other personal information.”

As part of his showing of injury, Antman cited to a June 2, 2014, incident where an “unknown and unauthorized person used [his] private information to apply for a credit card with Capital One.” Other than temporal proximity, Antman offered no other evidence that linked the hack of his name and driver’s license number to the opening of the unauthorized credit card. In addition, Antman alleged that he and his fellow class members “now face years of constant surveillance of their financial and personal records, monitoring[] and loss of rights” due to the breach.

The magistrate dismissed the lawsuit finding that plaintiff lacked Article III standing because Antman’s allegations are “not sufficient because his complaint alleges only the theft of names and driver’s licenses. Without a hack of information such as social security numbers, account numbers[] or credit card numbers, there is no obvious, credible risk of identity theft that risks real, immediate injury.” In regards to Antman’s alleged causal connection between the opening of the credit card and the breach the magistrate found that “it is not plausible that a person could apply for a credit card without a social security number.”