Uber to pay $2.2 million to its Washington drivers over 2016 data breach

State Attorney General Bob Ferguson announced Wednesday he will return more than $2.2 million to Uber drivers affected by a November 2016 data breach at the international ride-sharing company.

The money for drivers is part of approximately $5.79 million Uber will pay for violating Washington state’s data breach notification law and for failing to adequately safeguard the personal data of Uber drivers, according to a State Attorney General’s Office news release. The breach affected more than 57 million drivers and passengers worldwide, including nearly 13,000 Uber drivers in Washington. Uber waited more than a year before it revealed the breach publicly or notified the Attorney General’s Office. Most Washingtonians who drove for Uber in 2013 and 2014 will each receive $170.

The judgment, filed Wednesday in King County Superior Court, resolves a lawsuit Ferguson filed against Uber in November of 2017 as well as an investigation into Uber’s data security practices.

The judgment is part of a joint resolution by all 50 states and the District of Columbia related to the company’s November 2016 data breach.

“Uber kept this massive data breach secret for more than a year, and jeopardized the personal information of thousands of drivers,” Ferguson said in the news release. “Uber’s conduct was inexcusable and unlawful.”

Washington received a larger share of the nationwide $148 million settlement because Ferguson sued Uber in November of 2017 for failing to notify affected drivers and the Attorney General’s Office. Washington was one of just a small number of states that sued Uber over its conduct related to the data breach prior to the multistate resolution.

In November 2016, an individual contacted Uber claiming he had accessed Uber’s user information. Uber investigated and confirmed that person and one other individual had in fact accessed the company’s files, including obtaining the names and driver’s license numbers of more than 7 million drivers for the company around the world, including nearly 13,000 in Washington state. The hacker also obtained the login, encrypted password, and some geolocation information for nearly 50 million riders worldwide.

Under an amendment to Washington’s data breach notification law requested by Ferguson in 2015, consumers and the state must be notified within 45 days of a breach of “personal information,” which means an individual’s first name or first initial and last name in combination with a Social Security Number, driver’s license or Washington identification card number, or account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

Despite the law, Uber failed to notify the Attorney General’s Office until Nov. 21, 2017 — more than 370 days after it learned of the breach. The company admitted to paying the hackers to hide the breach and destroy the stolen data.

In addition to paying Washington state for its violations, Uber is required to develop, implement, and maintain a comprehensive information security program that adequately protects personal information of riders and drivers. The company is also required to provide an independent assessment of the program’s effectiveness to the Attorney General’s Office every two years for the next decade.

The Attorney General’s Office will hire a claims administrator, who will reach out to affected drivers. The affected drivers drove for Uber in 2013 and 2014. Affected drivers will receive notification from the claims administrator; there is no need to file a claim. Drivers do not need to contact the Attorney General’s Office.

Only drivers whose drivers’ license information was accessed during the breach will be eligible. Eligible Washington drivers will receive $170. Uber has already notified affected drivers by mail or email, and has offered them free credit monitoring and identity theft production.