Uber to pay $2.2 million to its Washington drivers over 2016 data breach

State Attorney General Ferguson announces settlement

  • Wednesday, September 26, 2018 12:27pm
  • News
Bob Ferguson

Bob Ferguson

State Attorney General Bob Ferguson announced Wednesday he will return more than $2.2 million to Uber drivers affected by a November 2016 data breach at the international ride-sharing company.

The money for drivers is part of approximately $5.79 million Uber will pay for violating Washington state’s data breach notification law and for failing to adequately safeguard the personal data of Uber drivers, according to a State Attorney General’s Office news release. The breach affected more than 57 million drivers and passengers worldwide, including nearly 13,000 Uber drivers in Washington. Uber waited more than a year before it revealed the breach publicly or notified the Attorney General’s Office. Most Washingtonians who drove for Uber in 2013 and 2014 will each receive $170.

The judgment, filed Wednesday in King County Superior Court, resolves a lawsuit Ferguson filed against Uber in November of 2017 as well as an investigation into Uber’s data security practices.

The judgment is part of a joint resolution by all 50 states and the District of Columbia related to the company’s November 2016 data breach.

“Uber kept this massive data breach secret for more than a year, and jeopardized the personal information of thousands of drivers,” Ferguson said in the news release. “Uber’s conduct was inexcusable and unlawful.”

Washington received a larger share of the nationwide $148 million settlement because Ferguson sued Uber in November of 2017 for failing to notify affected drivers and the Attorney General’s Office. Washington was one of just a small number of states that sued Uber over its conduct related to the data breach prior to the multistate resolution.

In November 2016, an individual contacted Uber claiming he had accessed Uber’s user information. Uber investigated and confirmed that person and one other individual had in fact accessed the company’s files, including obtaining the names and driver’s license numbers of more than 7 million drivers for the company around the world, including nearly 13,000 in Washington state. The hacker also obtained the login, encrypted password, and some geolocation information for nearly 50 million riders worldwide.

Under an amendment to Washington’s data breach notification law requested by Ferguson in 2015, consumers and the state must be notified within 45 days of a breach of “personal information,” which means an individual’s first name or first initial and last name in combination with a Social Security Number, driver’s license or Washington identification card number, or account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

Despite the law, Uber failed to notify the Attorney General’s Office until Nov. 21, 2017 — more than 370 days after it learned of the breach. The company admitted to paying the hackers to hide the breach and destroy the stolen data.

In addition to paying Washington state for its violations, Uber is required to develop, implement, and maintain a comprehensive information security program that adequately protects personal information of riders and drivers. The company is also required to provide an independent assessment of the program’s effectiveness to the Attorney General’s Office every two years for the next decade.

The Attorney General’s Office will hire a claims administrator, who will reach out to affected drivers. The affected drivers drove for Uber in 2013 and 2014. Affected drivers will receive notification from the claims administrator; there is no need to file a claim. Drivers do not need to contact the Attorney General’s Office.

Only drivers whose drivers’ license information was accessed during the breach will be eligible. Eligible Washington drivers will receive $170. Uber has already notified affected drivers by mail or email, and has offered them free credit monitoring and identity theft production.

Talk to us

Please share your story tips by emailing editor@kentreporter.com.

To share your opinion for publication, submit a letter through our website https://www.kentreporter.com/submit-letter/. Include your name, address and daytime phone number. (We’ll only publish your name and hometown.) Please keep letters to 300 words or less.

More in News

Kent School District superintendent issues message about school closure

‘It is a necessary step for us to do our part,’ Calvin Watts says

COVID-19 deaths reach 10 in Kent; 7 in Renton; 5 in Enumclaw

Latest South County results from Public Health—Seattle King County

First WA state prisoner tests positive for COVID-19

The man is the first person in Washington to contract the disease while in a state prison.

Kent man faces murder charge in Renton shooting

Victim shot March 10 in parked car

Sewing up solutions: South King firefighter designs prototype for protective gown shortage

Despite the department’s success with a one-man team, South King Fire is looking for the community’s help to sew gowns for first responders.

Kent Food Bank seeks monetary donations

COVID-19 reduces contributions

Students will not return to classrooms this school year

Monday’s decision applies to all schools — public, private and charter.

Drive-thru COVID-19 virus testing last week in the parking lot near Everett Memorial Stadium in Everett. A study by the University of Washington and UnitedHealth Group, conducted at Everett Clinic locations, found that a less-intrusive form of the coronavirus test would require fewer precautions by health care workers. (Andy Bronson / The Herald)
New self-swab COVID-19 test is just as accurate, study finds

The study, under peer review, was led by an Everett Clinic doctor. It could speed up testing nationwide.

Most Read