Seven million drivers had their details stolen during the breach, alongside 50 million active Uber users. The company had paid the hackers $100,000 to delete the data and pushed them to keep the theft secret, according to multiple reports.
In a letter to Ferguson's office last week, an Uber attorney wrote that the company "now thinks it was wrong not to provide notice to affected users at the time".
Washington state has sued ride-sharing company Uber, saying it broke state law when it failed to notify more than 10,000 drivers that their personal information was accessed as part of a major data breach.
Uber failed to disclose a massive breach a year ago that exposed the data of some 57 million users of the ride-sharing service, the company's new chief executive officer says. "Consumers expect and deserve protection from disclosure of their personal information".
Hackers stole names, email addresses, and phone numbers of Uber's riders and drivers in October 2016. When a data breach puts people at risk, businesses must inform them, " Ferguson said in a news release.More news: Kylie Jenner Let Best Friend Jordyn Woods Cut Off All Her Hair
More news: U.S. mall evacuated after gun discharges into floor
More news: Prince Harry, Meghan Markle Wedding: Where Will It Happen?
Washington law requires both affected consumers and the attorney general's office to be notified within 45 days of the breach. Violations carry fines of up to US$2,000, and Ferguson said each day Uber failed to notify each customer constitutes a violation. With investigations under way by the attorneys general of Connecticut, Illinois, Massachusetts, Missouri, New Mexico, and NY, there will likely be more on this front soon.
The lawsuit was filed Tuesday in King County Superior Court.
Europe's data protection authorities can streamline their investigations into companies, something that is exceptional, but that has happened in big cases including the Yahoo data breach earlier this year. If that penalty were applied to each of the affected drivers in Washington, it would total almost $22 million in penalties.
"We have seen no evidence of fraud or misuse tied to the incident", Uber said in a statement.