Washington state sues Uber over data breach

Last week, Uber admitted that a cyberattack had exposed the personal information of millions of drivers and passengers—a full year ago. Today, Washington state attorney general Bob Ferguson announced he’d be suing the company for violations of state law.

Ferguson said that the hack included phone numbers, driver license numbers, and addresses for nearly 11,000 Washington state Uber drivers. When data is compromised, under Washington law, companies must notify both affected customers and the attorney general within 45 days of the breach. Since the cyberattack happened in October 2016, that would put Uber far outside that window.

Making matters worse: Multiple reports point to Uber purposely covering up the breach. The initial Bloomberg report that exposed the breach also found that Uber had paid the hackers $100,000 to delete the data and not say anything.

In the suit, the attorney general said this makes the misconduct “more egregious.”

In addition to violating the notification law, the suit alleges that Uber may be in violation of state unfair practice law. “Failing to notify affected consumers that their driver's license numbers were accessed by unauthorized individuals is not reasonable in relation to the development and preservation of business and is inconsistent with the public interest,” the suit reads.

The suit seeks $2,000 per violation—and with 10,888 affected in the state, that could add up to more than $20 million.

In a statement, Uber didn’t deny wrongdoing. “We take this matter very seriously and we are happy to answer any questions regulators may have,” an Uber spokesperson said over email. “We are committed to changing the way we do business, putting integrity at the core of every decision we make, and working hard to regain the trust of consumers.”

• Washington AG sues Uber over data breach kept secret for a year [Seattle Times]