:format(webp)/cdn.vox-cdn.com/uploads/chorus_image/image/57701889/GettyImages-858492214.0.0.jpg)
Uber failed to notify some 57 million users that their data — including names, email addresses, phone numbers and driver’s license numbers — was exposed when hackers accessed that information in 2016, newly minted CEO Dara Khosrowshahi said in a statement on Tuesday.
As a result of the failure to notify its customers, Khosrowshahi opened an investigation into how the company handled the incident and fired two people who handled the response process.
Joe Sullivan, Uber’s chief security officer, was one of them. He was hired in 2015 as Uber’s first security chief after the company had suffered a series of hacks. The attack that occurred under Sullivan’s watch is likely the largest data breach the embattled ride-hailing giant has experienced.
Bloomberg News first reported the hack. Instead of notifying users, Uber paid the hackers $100,000 to delete the data they got ahold of and keep the hack quiet.
“None of this should have happened, and I will not make excuses for it,” Khosrowshahi wrote in a statement. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
The company has now recruited the help of Matt Olsen, a former NSA general counsel and the co-founder of a cybersecurity consulting firm called IronNet Cybersecurity, to guide its security team going forward.
In his statement, Khosrowshahi said the 600,000 drivers whose license numbers were downloaded will receive free credit monitoring and identity theft protection, and will be individually notified. However, if drivers want to proactively check the status of their account, they can look here.
He also said the company has notified authorities. So far, the office of New York Attorney General Eric Schneiderman has opened an investigation into the breach.
Uber says it does not believe riders need to take any further action but should monitor their credit and other accounts.
He also said that forensic experts had not found any sign that data on trip location history, credit card numbers, bank account numbers, birthdate or social security numbers were downloaded.
Khosrowshahi wrote that the company doesn’t believe that any of the data that was accessed has been misused, but is monitoring the affected accounts.
The company is already facing a number of federal probes into its privacy practices as it transitions from its former chief legal officer, Salle Yoo, who was not notified about this incident, to Tony West, who will start this week.
Update: This post was updated to include that the New York attorney general’s office is investigating the breach.
This article originally appeared on Recode.net.
