A week after Uber acknowledged a massive data breach, the Washington state Attorney General Bob Ferguson sued the taxi-aggregator for failing to report the incident. On November 28, 2017, Ferguson filed a multimillion-dollar lawsuit against Uber King County Superior Court, alleging that ride-sharing company violated the state’s revised data breach notification norm.
Ferguson has sought civil penalties of up to $2,000 per violation, which could result in millions of dollars if Uber loses. While asking Uber to cover the costs and fees associated with the lawsuit, Ferguson alleged that names and driver’s license numbers of at least 10,888 Uber drivers in Washington state were stolen without their being notified as state law requires.
A press release issued by the Attorney General’s Washington office said, “the hackers obtained the names and driver’s license numbers of about 7 million drivers for the company. About 600,000 of those drivers live in the United States, and at least 10,888 live in Washington”.
Ferguson’s lawsuit is the first since the state’s consumer privacy laws were revised in 2015. According to the revised data breach law, “victims must be notified within 45 days of the breach’s discovery. If the breach affects more than 500 Washington residents, the attorney general’s office must also be notified.” In Uber’s case, the breach was notified to the attorney general after 372 days of occurrence.
During a press conference, Ferguson was quoted as saying, “instead of doing the right thing, following the law, and telling these thousands of Washingtonians they were at risk, Uber paid the hackers to delete the data and did not disclose the breach to anyone. That is stunning. It violates the spirit and the letter of the law. Our law is clear. When a data breach puts consumers at risk, businesses must inform them. That’s fair”.
Senior Counsel Shannon Smith and Assistant Attorneys General Tiffany Lee and Andrea Alegrett are handling the case. Several states, including Missouri, Massachusetts and New York, have opened investigations, and the city of Chicago sued Uber on November 27, 2017, The News Tribune reported.
Last week, it was reported that Uber paid hackers $100,000 in ransom to destroy the stolen data to hide the breach that allegedly compromised personal information of about 57 million passengers around the world in October 2016. Shortly after the news broke, Uber fired its chief security officer Joe Sullivan and a deputy Craig Clark for concealing the hacking incident.
To investigate the breach, Uber CEO Dara Khosrowshahi said that his company hired Mandiant, a cybersecurity firm owned by FireEye and Matt Olsen, former general counsel of the U.S. National Security Agency, to restructure the company’s security teams and processes.