The company had paid the hackers $100,000 to delete the data and pushed them to keep the theft secret, according to multiple reports.
The breach was a further setback to the Silicon Valley company after London's transport regulator stripped it of its operating licence in September, citing Uber's approach to reporting serious criminal offences and background checks on drivers.
In a letter to Ferguson's office last week, an Uber attorney wrote that the company "now thinks it was wrong not to provide notice to affected users at the time".
Chicago Corporation Counsel Ed Siskel, who filed the complaint in conjunction with Foxx, said that companies should not be permitted to violate the law by "failing to safeguard personal information and then covering it up, preventing those impacted from taking steps to protect themselves", the station reported.More news: Vladimir Putin signs new Russian law for foreign media outlets
The Article 29 Working Party, an advisory committee composed of data privacy watchdogs from each member state in the European Union, said after a meeting in Brussels that it had established a task force to coordinate national investigations into the breach that Uber says affected 57 million users worldwide.
Under Washington law, the breach of names, phone numbers and addresses does not require notification, Ferguson said, but the driver's license numbers do. Uber is expected to begin reaching out to those affected shortly to notify them. With investigations under way by the attorneys general of Connecticut, Illinois, Massachusetts, Missouri, New Mexico, and NY, there will likely be more on this front soon. "There is no excuse for keeping this information from consumers".
The suit is the first enforcement action under the 2015 amendments to Washington's data breach law, and the damages theory will likely amount to several millions of dollars. Almost 11,000 drivers in the state were affected. Ferguson says that Uber did not notify his office until this month, more than a year after the breach.
"We have seen no evidence of fraud or misuse tied to the incident".