Washington AG Sues Uber Over Handling Of Data Breach

Nov 28, 2017

Washington's attorney general is suing Uber over the company's handling of a data breach that affected nearly 11,000 drivers in the state.

Attorney General Bob Ferguson said the app-based car service violated state law by waiting more than a year to report the data theft, which the company disclosed on Nov. 21.

Under a 2015 state law, companies have 45 days to report data breaches to the attorney general's office and affected customers if certain types of data are stolen. 

"Uber completely failed to meet that basic, basic obligation," Ferguson said at a news conference Tuesday.

Ferguson said his lawsuit, filed Tuesday in King County Superior Court, could result in a multi-million dollar penalty for Uber. 

An Uber spokesman said in an email that the company takes the matter "very seriously" and is "happy to answer any questions regulators may have."

"We are committed to changing the way we do business, putting integrity at the core of every decision we make, and working hard to re-gain the trust of consumers," the spokesman said.

Uber's chief executive said that, late last year, two hackers downloaded information on 57 million of the company's customers around the world and 600,000 of its drivers in the United States.

Only the information on drivers, which included their names and driver's license numbers, was significant enough to trigger Washington's reporting requirement, Ferguson said.

Uber CEO Dara Khosrowshahi said the company "obtained assurances that the downloaded information had been destroyed" and has implemented new security measures. 

Customer information downloaded by the hackers included names, email addresses, and mobile phone numbers, the company said.

Ferguson said such a breach does not require reporting under Washington's law. But he said his office could pursue more penalties if it's revealed that the theft of customer information was more serious.

Ferguson said his office learned of the data breach the same day Uber disclosed it to the public, 372 days after it occurred. 

“Our law is clear," he said. "When a data breach puts consumers at risk, businesses must inform them. That’s fair."