Global ride-hailing colossus Uber is being sued by state authorities in Pennsylvania for failing to report it had been the subject of a cybersecurity attacked which breached the data of its customers.

The state’s attorney general, Josh Shapiro, officially filed a lawsuit against the company which is headquartered in San Francisco, for its failure to report the data breach for more than 12 months.

According to reports published by CNET, the sophisticated cyber-attackers managed to access the information of 25m users in the United States, where 4.1m of them were their drivers. Stolen data included names, e-mail addresses, phone numbers and driver’s license numbers. It has been claimed that at least 13,500 of those individuals that had their personal information infiltrated lived in Pennsylvania, hence the lawsuit from the attorney general.

The lawsuit states that Uber was guilty of violating multiple consumer protection laws, including the Personal Information Act, by not notifying its users in a timely manner. It wasn’t until November last year when Uber bosses took the decision to inform the public of the serious breach that had occurred.

A quote from the lawsuit filed said, “When it learned about the 2016 data breach, Uber did not notify law enforcement authorities or consumers. Instead, Uber paid the hackers at least $100,000 to delete the acquired consumer data and keep quiet about the breach.”

Data breaches have risen exponentially over the past number of years and as a result, US Attorney General Jeff Sessions announced the formation of a cybersecurity task force that will analyze multiple types of cyber threats, ranging from corporate theft, governmental and private information on a mass scale. Thus far, the ride sharing giant has opted not to comment any further with regards to the lawsuit.