Uber has got rid of its chief security officer and announced that his team paid off hackers who stole data belonging to 57 million users.
The ride-hailing app's chief executive, Dara Khosrowshahi, said: "None of this should have happened, and I will not make excuses for it."
Former CSO, Joe Sullivan, presided over a loss of the names, email addresses and mobile phone numbers belonging to Uber drivers and passengers, according to Bloomberg.
Mr Sullivan's team then paid the hackers $100,000 to delete the data instead of notifying the victims.
Uber's former chief executive, Travis Kalanick, learned of the hack in 2016, according to Bloomberg – seven months before a shareholder revolt forced him to quit and replaced him with Mr Khosrowshahi.
"At the time of the incident, we took immediate steps to secure the data and shut down further unauthorised access by the individuals," said Mr Khosrowshahi.
Uber says it does not believe its customers need to take any action.
"We have seen no evidence of fraud or misuse tied to the incident," says a help page on its site.
"We are monitoring the affected accounts and have flagged them for additional fraud protection."
Mr Khosrowshahi said the data had been stolen from a "third-party cloud-based service" – understood to be Amazon Web Services, which the attackers accessed using legitimate passwords stolen via coding website Github.
"We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed".
The chief executive, who joined the company in August, added in his statement: "You may be asking why we are just talking about this now, a year later.
"I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it.
"While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes."
The data breach comes as Uber looks to improve its image after bad publicity during the tenure of Uber's founder Travis Kalanick, and the decision by transport bosses in London to take away its licence.
Mr Kalanick was ousted as chief executive in June after an internal investigation concluded he had built a culture that allowed female workers to be sexually harassed and encouraged employees to push legal limits.
Uber's new boss said the company was now working with regulators on the breach and notifying drivers whose licence numbers were downloaded – as well as giving them credit monitoring and identity theft protection.
A review of its security is also taking place in conjunction with Matt Olsen, a former National Security Agency general counsel and cybersecurity expert.
