Uber will pay Washington drivers $2.2 million over 2016 data breach

Uber will pay Washington drivers $2.2 million over 2016 data breach

More than $2.2 million will be returned to Uber drivers affected by a November 2016 data breach at the international ride-sharing company.

The money for drivers is part of approximately $5.79 million Uber will pay for violating Washington state’s data breach notification law and for failing to adequately safeguard the personal data of Uber drivers. The breach affected more than 57 million drivers and passengers worldwide, including nearly 13,000 Uber drivers in Washington.

The judgment, filed today in King County Superior Court, resolves a lawsuit Attorney General Bob Ferguson filed against Uber in November 2017 as well as an investigation into Uber’s data security practices.

In November 2016, an individual contacted Uber claiming he has accessed Uber’s user information. Uber investigated and confirmed that person and one other individual had in fact accessed the company’s filed, including the names and driver’s license numbers of more than 7 million drivers for the company around the world, including nearly 13,000 in Washington state. The hacker also obtained the login, password and some geolocation information for nearly 50 million riders worldwide.

Uber waited more than a year before it revealed the breach publicly or notified the Attorney General’s Office. The company admitted to paying hackers to hide the breach and destroy the stolen data. More Washingtonians who drove for Uber in 2013 and 2014 will each receive $170.

Washington has two data breach notification laws: One applying to individuals and businesses, the other for local and state government agencies. The laws are essentially the same and require notification to Washingtonians at risk of harm because of a security breach that includes personal information, meaning someone’s name and any of the following:

Social Security number
Driver’s license number of Washington identification card number
Bank account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s account