There's no evidence the data was abused, Uber said. However, Khosrowshahi isn't about to defend his company's past behavior. "I will not make excuses for it," he said in a statement. Accordingly, Uber has fired chief security officer Joe Sullivan and one of his deputies, senior lawyer Craig Clark, for playing key roles in covering up the truth. It's also asking former National Counterterrorism Center director Matt Olsen for help structuring Uber's security processes and has stepped up its fraud monitoring for the affected accounts. Drivers in particular are getting free credit monitoring and identity theft protection.

News of the data breach underscores just how much of a challenge Khosrowshahi faces in rethinking Uber's toxic corporate culture. The company was continuing its longstanding habit of ignoring the law even after it had just settled a New York state lawsuit over data security disclosures, and was entering talks with the FTC that would lead to a settlement over data handling. If it could face those kinds of legal threats and still decide that concealing an attack was more important than protecting users, it clearly needs major reforms.