In light of Uber failing to report the massive data breach that affected potentially 57 million passengers and drivers worldwide, Washington State Attorney General Bob Ferguson has filed a multimillion-dollar consumer protection lawsuit against the transportation company.
The breach included the names and driver’s license numbers of at least 10,888 Uber drivers in Washington and, under the state’s data breach law, those affected are required to be notified within 45 days of the breach, Ferguson’s press release said. The law also requires the attorney general to be notified within 45 days if the breach affects more than 500 Washington residents.
The lawsuit, which seeks penalties for up to $2,000 per violation, alleges Uber violated Washington’s data breach law by failing to notify those affected, as well as the attorney general’s office within an appropriate amount of time.
Uber did not notify the attorney general’s office until Nov. 21, 2017, over a year after Uber first discovered the breach. And before Uber reported the breach, the company paid off hackers to destroy the data.
“Washington law is clear: When a data breach puts people at risk, businesses must inform them,” Ferguson said in the release. “Uber’s conduct has been truly stunning. There is no excuse for keeping this information from consumers.”
Just yesterday, Chicago and Cook County’s state attorney sued Uber over the data breach. Congress also got involved, with Senator Mark Warner issued a number of a questions to Uber regarding the data breach.
I’ve reached out to Uber and will update this story if I hear back.