Last week, Uber acknowledged that more than a year ago, it paid hackers a US$100,000 (NZ$145,050) ransom to destroy personal data they stole concerning more than 57 million of its customers and drivers.
A spokesman for Uber told the BBC the firm is not able to clarify how many United Kingdom drivers are included in the 2.7 million.
Under Washington's revised data breach law, businesses are required to notify consumers within 45 days if their personal information was accessed by an unauthorized person.
Uber spokeswoman Molly Spaeth said in an email the company is "committed to changing the way we do business".
Uber Technologies Inc has informed Britain's data protection regulator that about 2.7 million user accounts - representing the vast majority of people using the ride-hailing service in the country - were affected by a 2016 data breach.
YURI GRIPAS REUTERS Washington is the latest state to take Uber to court over its hidden data breach
About 50 million Uber passengers had their names, addresses and phone numbers breached, but the hackers also got driver's license numbers for about 7 million Uber drivers, including 10,888 in Washington, Ferguson said.
Ferguson's lawsuit is the first from a state, although attorneys general in New York, Missouri, Massachusetts, Connecticut and IL have begun investigations, and the city of Chicago and Cook County have filed a lawsuit. Almost 11,000 drivers in the state were affected.
"While Uber has repeatedly asserted that there has been no evidence of fraud or misuse tied to the incident, the concealment of a data breach bears serious consequences under the Data Privacy Act of 2012", according to Privacy Commissioner Raymund Liboro. "Consumers expect and deserve protection from disclosure of their personal information". Ferguson says that Uber did not notify his office until this month, more than a year after the breach. Under such a theory, he argues that Uber should face a penalty of several millions of dollars.
Uber failed to disclose the massive breach at the time, the company's new chief executive officer said last week.
However, Attorney General Ferguson contends that each day that Uber failed to report the breach to each of the drivers-as well as to his office-counts as a separate violation.