Pennsylvania's attorney general is suing a popular ride-sharing company over a data breach that has affected at least 13,500 people in the state.

Uber Technologies is the subject of a lawsuit filed today by Attorney General Josh Shapiro, who says Uber knew for more than a year that a data breach potentially impacting 57 million passengers and drivers occurred, but the company failed to disclose the breach until November.

This is a violation of the state's data breach notification law, Shapiro said in a press release this morning. At least 13,500 Pennsylvania Uber drivers had their names and drivers' license numbers stolen by hackers during this breach.

"Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach," Shapiro said. "Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year - and actually paid the hackers to delete the data and stay quiet. That's just outrageous corporate misconduct, and I'm suing to hold them accountable and recover for Pennsylvanians."

Uber spokesman Craig Ewer issued the following statement:

"While we make no excuses for the previous failure to disclose the data breach, Uber's new leadership has taken a series of steps to be accountable and respond responsibly. We investigated the incident, disclosed the circumstances to state and federal regulators, and reached out to state Attorneys General, including Attorney General Shapiro, to express Uber's desire to cooperate fully with any investigations. While we dispute the accuracy of some of the characterizations in the Pennsylvania Attorney General's lawsuit, we will continue to cooperate with them and ask only that we be treated fairly."

This suit marks the first time an AG is filing suit under the Pennsylvania Breach of Personal Information Notification Act, seeking $13.5 million from Uber in civil penalties.

As many as 43 attorneys general around the country have been investigating the data breach, which he said leaves drivers open to identity theft. And Uber's isn't the only data breach his office is investigating.

"The more personal information these criminals gain access to, the more vulnerable the person whose information was stolen becomes," Shapiro said. "That's why my Bureau of Consumer Protection is not only taking action in the Uber breach today - we are also leading a national investigation into the Equifax breach."

Anyone who believes they may be a victim of the data breach should call the bureau, 1-800-441-2555, or email scams@attorneygeneral.gov.

This story has been updated to include a statement from Uber.