Washington state Attorney General Bob Ferguson is filing a lawsuit against Uber after the company failed for a year to report a data breach that put the personal information of 50 million customers and 7 million drivers at risk.
The failure to report the breach 45 days after learning about it violates Washington state law, Ferguson said.
Uber admitted to the breach last week in a statement.
Bloomberg reported that the company paid the hackers $100,000 to delete the data and keep quiet about it. Uber said in its statement that the company "obtained assurances that the downloaded data had been destroyed."
The downloaded information included the names, email addresses and mobile phone numbers of riders, as well as the names and driver's license numbers of some 600,000 U.S. Uber drivers, according to Uber.
"In Washington state law, you've got 45 days, if you're a business like Uber, to notify consumers and my office that there's been a breach. They did not do that here," Ferguson said, clarifying that it's 45 days from the time the company learns about the breach.
It's the first time a lawsuit has been filed under the 45-day law, according to Ferguson.
"Consumers have to be able to protect themselves if their information has been compromised. That did not happen here," Ferguson said.
He said it's too early to say what the dollar amount will be, but predicted this will cost Uber millions of dollars.
Ferguson warns that this type of breach can be devastating to consumers.
"They can drain your finances. They can steal your identity. Nothing good is going to come from that. That's what makes Uber's conduct so egregious. They knew about this for more than a year, and they sat on that information," Ferguson said.