Washington Attorney General Bob Ferguson is suing Uber, after the ride-hailing company waited more than a year to reveal that it had been hacked, resulting in the breach of personal data for customers and drivers.
Uber announced last week that a year earlier hackers had stolen personal data for about 57 million customers and drivers worldwide.
The company had paid the hackers $100,000 to delete the data and pushed them to keep the theft secret, according to multiple reports.
The data breach resulted in nearly 11,000 Washington Uber drivers having their data compromised.
“Washington law is clear, when a data breach puts people at risk, businesses must inform them,” Ferguson said, in announcing what he billed as a multimillion-dollar lawsuit. “Uber’s conduct has been truly stunning. There is no excuse for keeping this information from consumers.”
About 50 million Uber passengers had their names, addresses and phone numbers breached, but the hackers also got driver’s license numbers for about 7 million Uber drivers, including 10,888 in Washington, Ferguson said.
Under Washington law, the breach of names, phone numbers and addresses does not require notification, Ferguson said, but the driver’s license numbers do.
Washington law requires affected consumers and the attorney general’s office to be notified within 45 days of the breach. Uber waited more than a year, Ferguson said.
Ferguson’s lawsuit is the first from a state, although attorneys general in New York, Missouri, Massachusetts, Connecticut and Illinois have begun investigations, and the city of Chicago and Cook County have filed a lawsuit.
“Defendant’s conduct is made more egregious by the fact that Uber paid the hackers to delete the personal information and keep quiet about the breach,” Ferguson wrote in the lawsuit, filed in King County Superior Court.
In a letter to Ferguson’s office last week, an Uber attorney wrote that the company “now thinks it was wrong not to provide notice to affected users at the time.”
Ferguson’s lawsuit seeks penalties of up to $2,000 per violation of the state’s data-breach-notification law. If that penalty were applied to each of the affected drivers in Washington, it would total nearly $22 million in penalties.
“We are committed to changing the way we do business, putting integrity at the core of every decision we make and working hard to regain the trust of consumers,” said Nathan Hambley, an Uber spokesman.