Uber says it paid hackers $100,000 after they stole data last year on 57 million of its users.
The startup did not disclose the attack until Tuesday, adding a potential cover up to a list of recent corporate controversies.
Uber said that two people outside the company accessed the personal information of 57 million Uber users in late 2016, including names, email addresses and phone numbers. The license numbers of around 600,000 drivers in the United States were included in the breach.
The company did not alert victims or regulators of the breach when it was first discovered.
Britain’s data protection watchdog said the news raised “huge concerns” about Uber’s data policies and ethics.
“If U.K. citizens were affected then we should have been notified so that we could assess and verify the impact on people whose data was exposed,” said James Dipple-Johnstone of the U.K. Information Commissioner’s Office.
Uber CEO Dara Khosrowshahi said in a statement he recently learned of the breach.
Khosrowshahi, who became CEO in August, said he launched an investigation into why the company did not alert authorities or affected individuals. He said, “two of the individuals who led the response to this incident are no longer with the company.” Khosrowshahi said the company is now notifying regulatory authorities.
Bloomberg reported that Joe Sullivan, Uber’s chief security officer, is no longer with the company. Uber would not confirm to CNNMoney which individuals had left the company.
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals,” Khosrowshahi said in the statement.
“We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts,” he said.
Uber did not say how hackers assured the company the stolen data was destroyed, but it did confirm that $100,000 was paid to the hackers.
According to the company, no location history, credit card numbers, Social Security numbers, or dates of birth were downloaded in the hack. Uber said it is providing free credit monitoring to drivers who had their license numbers exposed.
It’s the latest blow to Uber, which is trying to improve its public image. The company has been embroiled in a number of controversies, including using software called Greyball to evade regulators, a court battle over allegedly stolen secrets from Google’s self-driving car division, and a slew of complaints regarding sexual harassment and toxic company culture.
This week, the company was fined almost $9 million for background check issues in Colorado.
In his statement, Khosrowshahi said things will be different moving forward. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” he wrote.