AG Ferguson files multi-million dollar lawsuit against Uber for failing to report massive data breach

  • Tuesday, November 28, 2017 2:29pm
  • News

The following is a press release from the Attorney General’s Office.

Attorney General Bob Ferguson today filed a multi-million dollar consumer protection lawsuit against ride sharing company Uber, alleging thousands of violations of the state’s data breach notification law.

Uber discovered a data breach potentially affecting 57 million passengers and drivers around the world, including the names and driver’s license numbers of at least 10,888 Uber drivers in Washington.

Under a 2015 amendment to the state’s data breach law requested by Ferguson, consumers must be notified within 45 days of a breach, and the Attorney General’s Office also must be notified within 45 days if the breach affects 500 or more Washingtonians. This is the first lawsuit filed under the revised statute.

“Washington law is clear: When a data breach puts people at risk, businesses must inform them,” Ferguson said. “Uber’s conduct has been truly stunning. There is no excuse for keeping this information from consumers.”

The complaint, filed today in King County Superior Court, alleges thousands of violations of Washington’s data breach law by failing to notify affected drivers and the Attorney General’s Office within 45 days of the breach.

In November 2016, an individual contacted Uber claiming he had accessed Uber’s user information. Uber investigated and confirmed that person and one other individual had in fact accessed the company’s files, including the names, email addresses and telephone numbers of about 50 million passengers worldwide. If Uber’s assessment of the compromised data is correct, this type of information does not require notification under Washington’s law.

However, the hackers also obtained the names and driver’s license numbers of about 7 million drivers for the company. About 600,000 of those drivers live in the United States, and at least 10,888 live in Washington.

Uber notified the Attorney General’s Office of the breach Nov. 21, 2017, roughly 372 days after it discovered the breach. Rather than reporting the breach as required by law, the company has admitted to paying the hackers to destroy the stolen data.

This lawsuit does not address any data security issues that may have led to the breach. Today’s lawsuit does not preclude future action on other issues.

The office argues each day Uber failed to report for each individual qualifies as a separate violation under the law. Ferguson’s lawsuit asks for civil penalties of up to $2,000 per violation, which should result in a penalty in the millions of dollars. The state also asks for recovery of its costs and fees.

Senior Counsel Shannon Smith and Assistant Attorneys General Tiffany Lee and Andrea Alegrett are handling the case.

Data breach notification in Washington

Ferguson updated Washington’s data breach notification laws with agency request legislation passed in 2015. The bill was sponsored by Rep. Zack Hudgins (D-Tukwila) and Sen. John Braun (R-Centralia).

Washington has two data breach laws: One applying to individuals and businesses, the other for local and state government agencies. The laws are essentially the same and require notification to Washingtonians at risk of harm because of a security breach that includes personal information, meaning someone’s name and any of the following:

  • Social Security number;
  • Driver’s license number or Washington identification card number; or
  • Bank account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s account.

This FAQ document lays out the data breach law for businesses.

Since reporting began in 2015, the Attorney General’s Office has produced annual reports examining the data from the previous year. The most recent report found that breaches affected nearly 3 million Washingtonians, more than six times the number affected in the previous 12 months.

More in News

Largest salmonella outbreak linked to live poultry

Nationally, 2017 had more Salmonella cases linked to backyard poultry than ever recorded by the U.S. Centers for Disease Control and Prevention.

Screenshot of a post from Highline College Facebook page at 9:25 a.m. Feb. 16, 2018.
Highline College on lockdown; gunfire reported | UPDATE: No shots fired

Highline College has been placed on lockdown Friday morning following reports of gunfire on campus.

Image courtesy of Wikipedia Commons.
State Patrol now ticketing for E-DUIs; insurance premiums may be affected

When the law was passed last year, WSP was just giving warnings. Now, drivers will be pulled over and ticketed with an E-DUI for using electronics behind the wheel.

Now accepting applications for Rampathon and more community news

Neighborhoods receive area grants Community Service Area grants were announced Feb. 7… Continue reading

A voter drops of their ballot at a drop off box in Maple Valley for the November 2017 election. File photo by Kayse Angel
Early results are in, a number of levies failing while recall is passing

It was that time again to count the thousands of ballots that… Continue reading

Not actual vehicle.
Detectives seeking witnesses to an injury hit and run collision

At approximately 6:45 p.m. on Feb. 8, the Washington State Patrol (WSP)… Continue reading

Maple Valley area neighborhoods receive King County Community Service Area Grants

King County Community Service Area grants for District 9 were announced today by Metropolitan King County Council Vice Chair Reagan Dunn.

Students from Tahoma High School’s “We the People” team join Sen. Mark Mullet, D-Issaquah, and Sen. Joe Fain, R-Auburn, on Feb. 7, 2018 in the Washington State Capitol building shortly after the Senate approved a resolution honoring the team.
Senate honors Tahoma High’s ‘We the People’ team

The Washington State Senate today honored Tahoma High School’s “We the People” team.

Most Read