Late Tuesday, online cab-hailing service Uber reported a security breach in the company’s systems which occurred in October 2016. The breach affected both riders and drivers and the breach affected 57 million riders personal information such as names, email addresses, and phone numbers were compromised. In the US, driver’s licence numbers of around 600,000 drivers were downloaded.

The company added that has not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers, or dates of birth were downloaded. Uber said that it is offering drivers free credit monitoring and identity theft protection for drivers on its blog.

For riders Uber said: “We do not believe any individual rider needs to take any action. We have seen no evidence of fraud or misuse tied to the incident. We are monitoring the affected accounts and have flagged them for additional fraud protection. “

Uber said that it learned about the security breach in November 2016 and said it took steps to prevent further harm but chose not to inform drivers and riders about the incident. “We think this was wrong, which is why we are now taking the actions we’ve described,” the blog added.

Meanwhile, Reuters reports that Uber paid hackers $100,000 to keep the incident a secret. CEO Dara Khosrowshahi said that two people – chief security officer Joe Sullivan and his deputy Craig Clark – who were responsible for handling the security breach have been fired. “I’ve asked Matt Olsen, a co-founder of a cybersecurity consulting firm and former general counsel of the National Security Agency and director of the National Counterterrorism Center, to help me think through how best to guide and structure our security teams and processes going forward,” he added.

Pilling problems and culture issues

The incident is also piling on Uber’s existing legal troubles. Hours after the company reporting the security breach, Uber was sued in Los Angeles, as indicated by this Bloomberg report.

  • Earlier this year, venture capital firm Benchmark Capital filed a lawsuit against Former CEO Travis Kalanick for breach of contract and fiduciary duty alleging him that he gained several board seats through “material misstatements and fraudulent concealment”. However, it seems that Kalanick and Benchmark Capital have reached a truce and the two agreed to drop the lawsuit the SoftBank-Uber deal happens successfully, according to a Techcrunch report.
  • Uber faced heavy criticism following the rape of a passenger during an Uber ride in Delhi, in December 2014. This led to increased scrutiny on online cab services in the country from authorities. It was also one of the reasons why it led to the ouster of Kalanick and senior vice president for business Emil Michael. Michael had obtained medical records of the victim and had reportedly shared the same with Kalanick.
  • The company had to fire 20 executives have been fired or quit the company for various reasons. This entire process was kickstarted in February this year, when former Uber engineer, Susan Fowler alleged that she had faced sexual harassment and discrimination during her time at the company.

The security breach also highlights Uber’s culture problem under Kalanick’s reign. Khosrowshahi, who was appointed as CEO in August 2016, said he had only recently learned of the breach. Reuters adds that in November 2016, Uber was in negotiations with the US Federal Trade Commission over the handling of consumer data.

The report added that Uber’s board investigated the matter and concluded that Kalanick and former general counsel Salle Yoo were involved in the decision not to disclose the data breach.

“None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” Khosrowshahi said in the blog.