SEATTLE — Attorney General Bob Ferguson announced today he will return more than $2.2 million to Uber drivers affected by a November 2016 data breach at the international ride-sharing company.

The money for drivers is part of approximately $5.79 million Uber will pay for violating Washington state’s data breach notification law and for failing to adequately safeguard the personal data of Uber drivers. The breach affected more than 57 million drivers and passengers worldwide, including nearly 13,000 Uber drivers in Washington. Uber waited more than a year before it revealed the breach publicly or notified the Attorney General’s Office. Most Washingtonians who drove for Uber in 2013 and 2014 will each receive $170.

The judgment, filed today in King County Superior Court, resolves a lawsuit Ferguson filed against Uber in November of 2017 as well as an investigation into Uber’s data security practices.

The judgment is part of a joint resolution by all 50 states and the District of Columbia related to the company’s November 2016 data breach.

“Uber kept this massive data breach secret for more than a year, and jeopardized the personal information of thousands of drivers,” Ferguson said. “Uber’s conduct was inexcusable and unlawful.”

Washington received a larger share of the nationwide $148 million settlement because Ferguson sued Uber in November of 2017 for failing to notify affected drivers and the Attorney General’s Office. Washington was one of just a small number of states that sued Uber over its conduct related to the data breach prior to the multistate resolution.

In November 2016, an individual contacted Uber claiming he had accessed Uber’s user information. Uber investigated and confirmed that person and one other individual had in fact accessed the company’s files, including obtaining the names and driver’s license numbers of more than 7 million drivers for the company around the world, including nearly 13,000 in Washington state. The hacker also obtained the login, encrypted password, and some geolocation information for nearly 50 million riders worldwide.

Under an amendment to Washington’s data breach notification law requested by Ferguson in 2015, consumers and the state must be notified within 45 days of a breach of “personal information”, which means an individual’s first name or first initial and last name in combination with a Social Security Number, driver’s license or Washington identification card number, or account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

Despite the law, Uber failed to notify the Attorney General’s Office until Nov. 21, 2017 — more than 370 days after it learned of the breach. The company admitted to paying the hackers to hide the breach and destroy the stolen data.

In addition to paying Washington state for its violations, Uber is required to develop, implement, and maintain a comprehensive information security program that adequately protects personal information of riders and drivers. The company is also required to provide an independent assessment of the program’s effectiveness to the Attorney General’s Office every two years for the next decade.

The Attorney General’s Office will hire a claims administrator, who will reach out to affected drivers. The affected drivers drove for Uber in 2013 and 2014. Affected drivers will receive notification from the claims administrator; there is no need to file a claim. Drivers do not need to contact the Attorney General’s Office.

Only drivers whose drivers’ license information was accessed during the breach will be eligible. Eligible Washington drivers will receive $170. Uber has already notified affected drivers by mail or email, and has offered them free credit monitoring and identity theft production.

Senior Counsel Shannon Smith and Assistant Attorneys General Tiffany Lee and Andrea Alegrett are handling the case.

Data breach notification in Washington

Ferguson updated Washington’s data breach notification laws with agency request legislation passed in 2015.

Washington has two data breach notification laws: One applying to individuals and businesses, the other for local and state government agencies. The laws are essentially the same and require notification to Washingtonians at risk of harm because of a security breach that includes personal information, meaning someone’s name and any of the following:

Social Security number;

Driver’s license number or Washington identification card number; or

Bank account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s account.

This FAQ document lays out the data breach law for businesses.

Since reporting began in 2015, the Attorney General’s Office has produced annual reports examining the data from the previous year. The most recent report found that breaches affected nearly 3 million Washingtonians, more than six times the number affected in the previous 12 months.

-30-

The Office of the Attorney General is the chief legal office for the state of Washington with attorneys and staff in 27 divisions across the state providing legal services to roughly 200 state agencies, boards and commissions. Visit www.atg.wa.gov to learn more.

Contacts:

Dan Jackson, Acting Communications Director, (360) 753-2716; DanJ1@atg.wa.gov