Yesterday, Attorney General Ferguson announced that his office has filed a multi-million dollar lawsuit against Uber following the transportation company’s 2016 data breach. Worldwide, the data breach affected approximately 57 million passengers and drivers, and the data of at least 10,888 Washingtonians was put at risk.
Ferguson’s consumer protection lawsuit claims Uber violated Washington’s 2015 amendment to the data breach law which states that consumers must be notified within 45 days of a discovered breach. In this instance, The Attorney General’s office wasn’t notified until November 21, 2017, more than a year after Uber became aware of the breach.
“Washington law is clear: When a data breach puts people at risk, businesses must inform them,” Ferguson said in a press release. “Uber’s conduct has been truly stunning. There is no excuse for keeping this information from consumers.”
Along with the notification of the breach, on November 21, Uber also disclosed they paid the hackers $100,000 to delete the data they had stolen. Uber also convinced the hackers to sign nondisclosure agreements in an attempt to hide the breach.
The lawsuit reasons that each day Uber failed to report the breach is its own distinct violation and asks for penalties of up to $2000 dollars per violation.
Ferguson’s lawsuit is one of several that have been filed against Uber since the breach was made public. Attorneys general from Missouri, New York, Massachusetts, Connecticut, and Illinois as well as individual lawsuits have been filed.