Hackers stole the personal data of 57 million customers and motorists from Uber Technology Inc ., a massive transgres that the company obscured for more than a year. This week, the ride-hailing firm ousted its chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a $100,000 pay to the attackers.

Compromised data regarding the October 2016 strike included names, email addresses and phone numbers of 50 million Uber riders around the world, the company told Bloomberg on Tuesday. The personal information of about 7 million drivers was accessed as well, including some 600,000 U.S. driver’s license numbers. No Social Security numbers, debit card datum, trip-up locating details or other data were taken, Uber said.

At the time of the incident, Uber was negotiating with U.S. regulators investigating separate claims of privacy misdemeanours. Uber now says it had a legal obligation to report the hacker to regulators and to drivers whose license numbers were taken. Instead, the company paid hackers to delete the data and keep the breach quiet. Uber said it believes the information was never used but declined to disclose the identities of the attackers.

” None of this should have happened, and I will not make excuses for it ,” Dara Khosrowshahi, who took over as chief executive officer in September, was indicated in an emailed statement.” We are changing the way we do business .”

Read more: Uber Pushed the Restrictions of the Law. Now Comes the Reckoning

After Uber’s disclosure Tuesday, New York Attorney General Eric Schneiderman launched an investigation into the hacker, his spokesman Amy Spitalnick said. The company was also sued for negligence over the transgres by a customer seeking class-action status.

Hackers has been successful in infiltrated numerous corporations in recent years. The Uber breach, while large-scale, is dwarfed by those at Yahoo, MySpace, Target Corp ., Anthem Inc . and Equifax Inc . What’s more alarming are the extreme measures Uber took to hide the two attacks. The breach is the latest scandal Khosrowshahi inherits from his predecessor, Travis Kalanick.

Read more: Gadfly’s Shira Ovide says Kalanick must be expressed

QuicktakeCybersecurity

Kalanick, Uber’s co-founder and former CEO, learned of the hack in November 2016, a month after it has just taken place, the company said. Uber had just decided a lawsuit with the New York us attorney general over data protection revealings and was in the process of negotiating with the Federal Trade Commission over the handling of consumer data. Kalanick declined to comment on the hack.

Joe Sullivan, the outgoing security chief, spearheaded the response to the hacker last year, a spokesman told Bloomberg. Sullivan, a onetime federal prosecutor who joined Uber in 2015 from Facebook Inc ., has been at the center of much of the decision-making that has come back to bite Uber this year. Bloomberg reported last month which the commission is commissioned an investigation into the activities of Sullivan’s security team. This programme, conducted by an outside law firm, detected the hack and the failure to disclose, Uber said.

Here’s how the hack went down: Two attackers retrieved a private GitHub coding site used by Uber software engineers and then utilized login credentials they procured there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers detected an archive of rider and motorist knowledge. Afterwards, they emailed Uber ask questions money, according to the company.

A patchwork of heads of state and federal laws involve companies to alert people and government agencies when sensitive data violates arise. Uber said it was obligated to report the hack of driver’s license information materials and failed to do so.

” At the time of the incident, we took immediate steps to secure the data and shut down farther unauthorized access by the individuals ,” Khosrowshahi said.” We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage reports .”

Uber has earned a reputation for flouting regulations in areas where it has operated because it founding in 2009. The U.S. has opened at least five criminal probes into possible bribes, illicit software, questionable pricing schemes and stealing of a competitor’s intellectual property, people familiar with the issues have said. The San Francisco-based corporation also faces dozens of civil suits.

U.K. regulators including the National Crime Agency are also looking into the scale of the violate. London and other governments have previously taken steps toward banning the service, citing what they say is reckless behavior by Uber.

In January 2016, the New York attorney general penalty Uber $ 20,000 for failing to promptly disclose an earlier data transgres in 2014. After last year’s cyberattack, the company was enter into negotiations with the FTC on a privacy settlement even as it haggled with the hackers on containing the breach, Uber said. The corporation eventually agreed to the FTC settlement three months ago, without acknowledging wrongdoing and before telling the agency about last year’s attack.

The new CEO said his goal is to change Uber’s ways. Uber said it informed New York’s attorney general and the FTC about the October 2016 hacker for the first time on Tuesday. Khosrowshahi asked for the abdication of Sullivan and fired Craig Clark, a senior lawyer who reported to Sullivan. The humen didn’t immediately respond to requests for comment.

Khosrowshahi said in his emailed statement:” While I can’t erase the past, I can perpetrate on behalf of every Uber employee that we will learn from our mistakes .”

The company said its investigation found that Salle Yoo, the outgoing chief legal officer who has been scrutinized for her responses to subject matters, hadn’t been told about the incident. Her replacement, Tony West, will start at Uber on Wednesday and has been briefed on the cyberattack.

Kalanick was ousted as CEO in June under pressure from investors, who said he put the company at legal risk. He remains on the board and lately filled two seats he controlled.

Uber said it has hired Matt Olsen, a former general counsel at the National Security Agency and director of the National Counterterrorism Center, as an adviser. He will help the company restructure its security teams. Uber hired Mandiant, a cybersecurity firm owned by FireEye Inc ., to investigate the hack.

The company plans to liberate a statement to patrons saying it has understood” no evidence of fraud or misuse tied to the incident .” Uber said it will provide drivers whose licenses were compromised with free credit protection monitoring and identity stealing protection.