The Pennsylvania attorney general has filed a lawsuit against Uber for failing to notify the victims of a massive data breach affecting 57 million people worldwide.

The ride sharing company did not disclose the 2016 breach until more than a year after it happened, and it also paid hackers a reported $100,000 ransom to keep the incident under wraps and delete the stolen data.

In a statement released Monday, Pennsylvania Attorney General Josh Shapiro said Uber violated the state’s data breach notification law, which requires incidents to be reported within a “reasonable” time frame.

“Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year and actually paid the hackers to delete the data and stay quiet,” the statement said.

The breach affected 25 million riders and drivers in the United States alone. Included in the stolen data were the names and driver’s license numbers of about 600,000 people, including at least 13,5000 from Pennsylvania.

Pennsylvania law allows a maximum fine of $1,000 for each disclosure violation, meaning Uber could be forced to pay $13.5 million if the state wins. However, most experts believe Uber will settle the case for a smaller sum.

This is far from the only lawsuit Uber is facing over the breach, which finally came to light in November by the company’s new CEO. Washington state has filed suit, as have the cities of Chicago and Los Angeles. Two class-action suits are pending, and attorney generals in at least three other states have said they will investigate the breach further. All but two U.S. states regulate data breach disclosure.

In a statement, Uber Chief Legal Officer Tony West said he was “surprised” by the lawsuit but looks forward to continuing to resolve the matter.

“We make no excuses for the previous failure to disclose the data breach,” said West, who started the job three months ago. “While we do not in any way minimize what occurred, it’s crucial to note that the information compromised did not include any sensitive consumer information such as credit card numbers or social security numbers, which present a higher risk of harm than driver’s license numbers. I’ve been upfront about the fact that Uber expects to be held accountable; our only ask is that Uber be treated fairly and that any penalty reasonably fit the facts.” Click below to learn more about Teramind.

Insider Threat Detection