And the cyber-thieves made off with 600,000 United States driver records that included their license numbers.
The companies new CEO, Dara Khosrowshahi, said he recently was made aware of the breach. He was not at the helm when it happened. It identified the individuals and obtained assurances that the downloaded data had been destroyed, according to the statement.
Rather than disclose the breach to regulatory officials and notify affected drivers and customers, Joe Sullivan, who was ousted from his CSO position this week, and an unnamed deputy engaged in a cover up that included paying $100,000 to the hackers behind the breach to delete the stolen data and keep quiet about the incident.
Bloomberg first reported news of the hack.
In March, Uber officials told the New Hampshire Union Leader that the ride-sharing service had several hundred drivers serving almost 40,000 active riders in New Hampshire. "I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it", Khosrowshahi wrote in a blog post.
Seventy million might have lost personal data including names, addresses, phone numbers and e-mail accounts, while 40 million bank accounts and credit cards were also put at risk.
That pledge shouldn't excuse Uber's previous regime for its egregious behavior, said Sam Curry, chief security officer for the computer security firm Cybereason.
Uber is now going to inform individuals who had their information stolen about the thefts, and will provide free credit monitoring for drivers. The New York attorney general has opened an investigation into the data breach, a spokeswoman said. "While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes". As part of that settlement, Uber also paid a $20,000 fine for waiting to notify five months about another data breach that it discovered in September 2014.
Uber is trying to salvage its reputation following a number of high-profile controversies, including using software called Greyball to evade regulators, a court battle over allegedly stolen secrets from Google's self-driving vehicle division, and a slew of complaints regarding sexual harassment and toxic company culture.
Uber admitted that it failed to take the correct actions.
"I'm just used to these breaches all the time; unfortunately it's a common occurrence", said traveler Ryan Eytcheson who was jumping in his Uber after flying in from Los Angeles.
At the time, the company was dealing with regulators investigating privacy breach claims with Uber, which could explain why former CEO Travis Kalanick kept the hack secret. The company has been embroiled in a number of controversies, including using software called Greyball to evade regulators, a court battle over allegedly stolen secrets from Google's self-driving auto division, and a slew of complaints regarding sexual harassment and toxic company culture.