Uber's got a new legal fight on its hands.

Pennsylvania Attorney General Josh Shapiro on Monday filed a lawsuit against Uber after the San Francisco-based ride-sharing company took more than 12 months to inform users that it suffered a major hack. 

"Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach," Shapiro said in a press release. "Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year -- and actually paid the hackers to delete the data and stay quiet." 

The attackers accessed the information of 25 million users in the United States, 4.1 million of whom were drivers. The stolen data included names, email addresses, phone numbers and driver's license numbers. About 13,500 of the affected Uber drivers lived in Pennsylvania, according to the lawsuit.

Under Pennsylvania law, Shapiro can sue for $1,000 for each violation. That means the attorney general's office could seek $13.5 million from Uber. 

Although the hack took place in October 2016, the company didn't notify the public until November 2017. By failing to notify users in a timely manner, the lawsuit said, Uber violated Pennsylvania's Breach of Personal Information Notification Act, which required companies to notify people affected by data breaches in a "reasonable" time frame. 

"When it learned about the 2016 Data Breach, Uber did not notify law enforcement authorities or consumers about the breach," the lawsuit says. "Instead, Uber paid the hackers at least $100,000 to delete the acquired consumer data and keep quiet about the breach."

Shapiro said in a statement that Uber's payoff was "outrageous corporate misconduct."

Uber is no stranger to legal tussles. In February, it settled with Google's Waymo for about $245 million in a high-profile confrontation over self-driving cars and Silicon Valley trade secrets.  Later in the month, it got hit with a lawsuit alleging that it discriminates against people in wheelchairs. It's also had to defend itself against charges of sexual assault by its drivers.

The company, which appointed a new CEO, Dara Khosrowshahi, three months before the disclosure of the 2016 breach, said in a statement Monday that it's a changed company.

"While we make no excuses for the previous failure to disclose the data breach, Uber's new leadership has taken a series of steps to be accountable and respond responsibly," an Uber spokesperson said. "While we dispute the accuracy of some of the characterizations in the Pennsylvania Attorney General's lawsuit, we will continue to cooperate with them and ask only that we be treated fairly."

Data breaches, meanwhile, have become a fact of life in a world devoted to apps, e-commerce and an internet overstuffed with personal information. They strike seemingly everywhere with grim regularity, from government agencies to big businesses to online hookup services.

The problem has prompted  calls to action by government officials around the world. Last month, for instance, US Attorney General Jeff Sessions announced the formation of a cybersecurity task force to look into a wide range of threats, including "theft of corporate, governmental, and private information on a mass scale."

The Pennsylvania attorney general's office is taking the multiple reported breaches into account, pointing out that personal information stolen from the Equifax breach could be combined with data from the Uber breach to help criminals committing identity theft. 

"The more personal information these criminals gain access to, the more vulnerable the person whose information was stolen becomes," Shapiro said.

The stolen data had been stored on Uber's Amazon Web Services cloud account. Uber reached out to the hackers and said it confirmed that the stolen data had been deleted permanently. Following the announcement, the company offered credit monitoring and identity theft protection to people who were affected.

The Pennsylvania AG's office is asking any state residents who feel they were affected by Uber's breach to file a complaint with the Bureau of Consumer Protection at scams@attorneygeneral.gov. 

Originally published March 5 at 7:30 a.m. PT.
Update at 8:12 a.m. PT:  Added background and more details from the court filing.
Update at 9:10 a.m. PT:: Added statements from the Pennsylvania attorney general.
Update at  10:04 a.m. PT:  Added statement from Uber and other background.

Security:  Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

Blockchain Decoded:  CNET looks at the tech powering bitcoin -- and soon, too, a myriad of services that will change your life.