Washington AG state sues Uber over data breach cover-up
SEATTLE - Washington Attorney General Bob Ferguson’s office has filed suit against Uber, claiming the ride-share company broke state law by failing to disclose a mammoth data breach to his office and victims.
The lawsuit, filed in King County Superior Court on Tuesday, accuses Uber of violating the state’s data breach laws when they failed to report the hacking, Ferguson said.
“Right now our lawsuit is based on what Uber has disclosed and admitted to us,” Ferguson said during a news conference at his downtown Seattle office.
While the data breach impacted more than 57 million drivers and riders globally, the lawsuit filed in Seattle only focuses on the nearly 10,000 Uber drivers in Washington state.
“Instead of doing the right thing, following the law and telling these thousands of Washingtonians they were at risk, Uber paid the hackers to delete the data and did not disclose the breach,” Ferguson said.
Though several states are investigating the breach and the City of Chicago filed suit on Monday, Ferguson said Washington is the first state to actually file suit.
An Uber spokeswoman could not be reached for comment Tuesday. Ferguson’s office, on Tuesday, released a letter from the Seattle law firm Perkins Coie about the data breach.
The firm, which is defending Uber, was the first notification Ferguson’s office received about the data breach. The Nov. 21 letter said the company was contacted by “an individual” in November 2016 who claimed they had accessed Uber user information stored on the company’s private cloud storage managed by Amazon Web Services.
“Uber determined the means of access, shut down a comprised credential, and took other steps intended to confirm that the actors had destroyed and would not use or further disseminate the information,” the letter read.
The letter said the breach lasted from October 2016 until November 2016.
Ferguson said that by waiting a year to notify his office, the ride-share company broke state law.
“Washington’s law is crystal clear and has been for several years. If you know you have a data breach and you know consumers have been impacted, you have a duty within 45 days to notify consumers and this office,” Ferguson said.
Uber paid hackers $100,000 in ransom to destroy the information they stole, according to the Associated Press. Congress is investigating the breach as well as other state attorney generals.
Ferguson said this lawsuit is the first his office has filed since the data breach notification law was revised in 2015. The Attorney General’s office is seeking civil penalties of up to $2,000 per violation for each victim whose names and driver’s license numbers were compromised in Washington state.
The penalty, Ferguson said, could result in “millions of dollars” paid out by Uber.