Washington state Attorney General Bob Ferguson is suing Uber in King County Superior Court for failing to report a massive data breach that exposed the personal information of 57 million Uber drivers and passengers around the world.
Washington is the first state to sue Uber over the breach, and Ferguson’s lawsuit is the first since the state’s consumer privacy laws were revised in 2015.
Drivers license numbers were exposed as part of the breach. Rather than notify victims, Uber acknowledged that it covered up the October 2016 incident by paying off the hackers behind the breach. The breach exposed the personal information of 10,888 Uber drivers in Washington state, according to the complaint.
The multi-million dollar lawsuit claims Uber violated Washington state’s revised data breach laws, which “require individuals, businesses, and public agencies to notify Washington residents who are at risk of harm because of a security breach that includes personal information.” Victims must be notified within 45 days of the breach’s discovery. If the breach affects more than 500 Washington residents, the attorney general’s office must also be notified.
Uber told Ferguson’s office about the breach on Nov. 21, 2017, about 372 days after the company discovered it.
“Instead of doing the right thing, following the law, and telling these thousands of Washingtonians they were at risk, Uber paid the hackers to delete the data and did not disclose the breach to anyone,” Ferguson said during a press conference Tuesday. “That is stunning. It violates the spirit and the letter of the law.”
Ferguson said his lawsuit is based on information already provided by Uber. His office will be conducting a further investigation as the case progresses.
After news of the breach broke last week, Uber fired its security chief and another employee associated with the coverup. The hackers who exposed personal information of Uber users figured out how to get into the company’s Amazon Web Services account through credentials pilfered from a Github site used by its engineers.
“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” said Uber CEO Dara Khosrowshahi in a statement. “We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
Khosrowshahi left his chief executive role at Expedia in August to take the helm at Uber and steer the company out of a storm of controversy that had been building for months. In his statement last week, Khosrowshahi said he has asked for a thorough investigation into the breach and how Uber handled it.
Ferguson’s lawsuit is seeking civil penalties of up to $2,000 per violation, which could result in millions of dollars if Uber loses. The state is also asking Uber to cover the costs and fees associated with the lawsuit.
“Our law is clear,” Ferguson said during the press event Tuesday. “When a data breach puts consumers at risk, businesses must inform them. That’s fair.”
Read the full complaint below.