Uber revealed on Tuesday that hackers stole the personal data of 57 million users, declining to announce that it paid the same hackers $100,000 to delete the data and keep things quiet.
The rideshare company knew since October 2016, Bloomberg reports.
About 600,000 drivers had their names and driver licenses exposed, while the information taken of the remaining users was limited to names, email addresses, and mobile phone numbers. Uber says outside forensic experts have no reason to believe that trip history, credit card numbers, bank account number, Social Security numbers or dates of birth were also exposed.
Joe Sullivan, chief security officer, and his deputy hid the cyberattack as U.S. regulators investigated Uber for a different set of privacy violation claims. The two employees were removed this week.
The Uber announcement comes a few months after Equifax revealed that sensitive information of more than 143 million Americans had been exposed and is vulnerable to financial fraud. Former CEO Travis Kalanick reportedly knew about the hack one month after it occurred.
“None of this should have happened, and I will not make excuses for it,” says Dara Khosrowshahi, who replaced Kalanick in June, in a statement. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”
Khosrowshahi adds that they are individually notifying drivers whose license numbers were exposed and providing them with free credit monitoring and identity theft protection. The company is also notifying regulators after failing to do so one year ago.
This is the latest controversy for the rideshare company as of late, like admitting it manipulated fares and pricing, funneling assets to offshore tax havens spotlighted in the Paradise Papers, attention called to a culture of sexual harassment by former Uber engineer Susan Fowler, and video footage of its driverless cars running red lights. Stay tuned for more.