Missouri Attorney General Josh Hawley, R, says his office will investigate whether ridesharing company Uber violated state law in connection with a 2016 data breach. Missouri law requires that companies provide “prompt” notice to consumers whose information might have been compromised. The company waited more than a year to tell the public about personal information of roughly 57 million customers and drivers getting hacked.

Missouri Attorney General Josh Hawley (left) testifies before a Missouri House committee in February 2017 (photo courtesy of Tim Bommel at Missouri House Communications)

The Attorney General’s Office has written a letter to Uber CEO Dara Khosrowshahi demanding the company takes immediate action to notify all affected consumers, protect those consumers’ personal information, and prevent any future breaches.

“Missouri consumers deserve to know if and when their personal information is compromised—whether that occurs under Uber’s watch or that of other large tech companies,” Hawley says. “As I made clear last week, my office is committed to protecting the privacy and safety of Missouri consumers against the whims of tech giants.”

Hawley says Uber’s failure to secure data as well the concealment of the data breach could violate Missouri’s consumer protection laws. Uber says in late 2016, it had paid hackers $100,000 to destroy the data and admitted it covered up the breach by deciding not to report the matter to victims or authorities.

Attorneys general in at least four U.S. states, Connecticut, Illinois, Massachusetts and New York, have also launched investigations into the hacking.

For more information about what to do if you are victim of a data breach, click here.