SEATTLE _ Washington state Attorney General Bob Ferguson is suing Uber, after the company waited more than a year to reveal that it had been hacked, resulting in the breach of personal data for customers and drivers.
Uber announced last week that a year earlier hackers had stolen personal data for about 57 million customers and drivers worldwide. The company, however, did not notify the public about the breach until last week. Uber also, according to multiple reports, paid the hackers to delete the data and remain silent about the breach.
The data breach resulted in nearly 11,000 Washington Uber drivers having their data compromised.
"Washington law is clear, when a data breach puts people at risk, businesses must inform them," Ferguson said, in announcing what he billed a multimillion-dollar lawsuit. "Uber's conduct has been truly stunning. There is no excuse for keeping this information from consumers."
About 50 million Uber passengers had names, addresses and phone numbers breached, but the hackers also got driver's license numbers for about 7 million Uber drivers, including 10,888 in Washington, Ferguson said.
Under Washington law, the breach of names, phone numbers and addresses does not require notification, Ferguson said, but the driver's license numbers do.
Washington law requires both affected consumers and the attorney general's office to be notified within 45 days of the breach. Uber waited more than a year, Ferguson said.
Ferguson's lawsuit is the first from a state, although attorneys general in New York, Missouri, Massachusetts, Connecticut and Illinois have begun investigations, and the city of Chicago and Cook County have filed a lawsuit.
"Defendant's conduct is made more egregious by the fact that Uber paid the hackers to delete the personal information and keep quiet about the breach," Ferguson wrote in the lawsuit, filed in King County Superior Court.
In a letter to Ferguson's office last week, an Uber attorney wrote that the company "now thinks it was wrong not to provide notice to affected users at the time."
Ferguson's lawsuit seeks penalties of up to $2,000 per violation of the state's data breach notification law. If that penalty were applied to each of the affected drivers in Washington, it would total nearly $22 million in penalties.
"We are committed to changing the way we do business, putting integrity at the core of every decision we make and working hard to regain the trust of consumers," said Nathan Hambley, an Uber spokesman.
