When did Uber discover the hack of its customers data? How many people in Pennsylvania were affected? What kinds of information and data were comprised? Pennsylvania Attorney General Josh Shapiro has given Uber until December 15 to respond to these questions. At issue is whether the ride share company violated the state's Breach of Personal Information Notification Act and the Consumer Protection Law.

The demand letter follows the public acknowledgement last week by Uber that data (including license numbers) for at least 600,000 Uber Drivers in the U.S – 13,000 in Pennsylvania – had been stolen. The company has admitted that the names, email addresses and phone numbers of some customers may have been accessed, but claims that their credit card numbers and other payment information are still secure. Worldwide, the hack may have impacted as many as 57 million people.

Following on the heels of the massive Equifax hack likewise being investigated by a number of AGs including Shapiro, he argues "These kinds of breaches will keep happening . . . until we force these companies to change the way they do business. We need to require change in corporate culture and put consumers' security ahead of profits."