FILE - In this Thursday, Feb. 9, 2017, file photo, Washington Attorney General Bob Ferguson speaks at a news conference.
Washington Attorney General Bob Ferguson announced Tuesday his office had filed a consumer protection lawsuit against Uber, alleging that the ride-sharing company waited more than a year to notify the state of a data breach affecting 57 million passengers and drivers, including 10,888 drivers in Washington.
“Washington law is clear: When a data breach puts people at risk, businesses must inform them,” Ferguson said in a statement. “Uber’s conduct has been truly stunning. There is no excuse for keeping this information from consumers.”
The lawsuit alleges Uber violated the state’s data breach notification law.
Under a 2015 amendment to the law, consumers must be notified within 45 days of a data breach, and the AG’s office must also be notified within 45 days if the breach affects more than 500 Washington residents.
This is the first lawsuit filed under the new requirements. It was filed in King Count Superior Court Tuesday.
According to the AG’s Office, an individual contacted Uber in November 2016 claiming he had accessed the company’s user information. Uber confirmed that person and another had accessed files including names, email addresses and phone numbers of 50 million passengers worldwide.
The hackers also obtained names and driver’s license information for 7 million drivers, 600,000 of whom live in the United States and 10,888 who live in Washington.
“Uber notified the Attorney General’s Office of the breach Nov. 21, 2017, roughly 372 days after it discovered the breach,” according to a press release from the AG’s Office. “Rather than reporting the breach as required by law, the company has admitted to paying the hackers to destroy the stolen data.”
The suit asks for civil penalties of up to $2,000 per violation and recovery of the state’s costs and fees. Senior Counsel Shannon Smith and Assistant Attorneys General Tiffany Lee and Andrea Alegrett are handling the case.
