In light of Uber failing to report the massive data breach that affected potentially 57 million passengers and drivers worldwide, Washington State Attorney General Bob Ferguson has filed a multimillion-dollar consumer protection lawsuit against the transportation company.
The breach included the names and driver license numbers of at least 10,888 Uber drivers in Washington and, under the state’s data breach law, those affected are required to be notified within 45 days of the breach, Ferguson’s press release said. The law also requires the attorney general to be notified within 45 days if the breach affects more than 500 Washington residents.
The lawsuit, which seeks penalties for up to $2,000 per violation, alleges Uber violated Washington’s data breach law by failing to notify those affected, as well as the attorney general’s office, within an appropriate amount of time.
Uber did not notify the attorney general’s office until November 21, 2017, more than a year after Uber first discovered the breach. And before Uber reported the breach, the company paid off hackers to destroy the data.
“Washington law is clear: When a data breach puts people at risk, businesses must inform them,” Ferguson said in the release. “Uber’s conduct has been truly stunning. There is no excuse for keeping this information from consumers.”
Just yesterday, Chicago and Cook County’s state attorney sued Uber over the data breach. Congress also got involved, with Senator Mark Warner issuing a number of questions to Uber regarding the data breach.
“We take this matter very seriously and we are happy to answer any questions regulators may have,” an Uber spokesperson said in a statement to TechCrunch. “We are committed to changing the way we do business, putting integrity at the core of every decision we make, and working hard to re-gain the trust of consumers.”