Taking on another high profile case of national significance, Washington State Attorney General Bob Ferguson announced today that his office is suing Uber over a recently revealed 2016 hack.
The company admitted last week that hackers had stolen rider and driver information, then demanded money from the company to hand over their copy of the data. Uber paid up and concealed the data breach, making it look like part of a larger effort to test their security.
Ferguson told reporters today that Uber took this action “instead of doing the right thing.”
“That is stunning,” he said.
Under state law, companies with certain types of data breaches affecting Washington residents must notify them and the AG’s office within 45 days.
“Uber completely failed to meet this basic, basic obligation,” Ferguson said. His office his seeking a $2,000 per day penalty for the more than a year that passed before Uber notified the office of the hack on November 21 of this year.
The suit focuses on Uber drivers, not passengers. Because drivers’ license information was compromised, notification was required within 45 days. Uber says passenger information included names, email addresses, and phone numbers. That information doesn’t require the same notice under the law. (Ferguson said his office could take future action about passenger data if more information is discovered.)
According to the AG’s office, the hack affected 600,000 drivers in the United States, at least 10,888 of them in Washington. Ferguson said his office wants to hear from Uber drivers affected by the hack.
A spokesperson for Uber said in a statement: “We take this matter very seriously and we are happy to answer any questions regulators may have. We are committed to changing the way we do business, putting integrity at the core of every decision we make, and working hard to re-gain the trust of consumers.”