Personal information belonging to about 57 million Uber customers and drivers was stolen by hackers last October, a breach the company kept hidden for a year and for which its chief security officer was fired this week.

The stolen data included names, email addresses and phone numbers of 50 million Uber riders and 7 million drivers.

“You may be asking why we are just talking about this now, a year later. I had the same question,” CEO Dara Khosrowshahi said in a statement.

After asking for an investigation, Uber discovered that instead of notifying regulators and the affected individuals it had “identified the individuals and obtained assurances that the downloaded data had been destroyed,” he wrote.

Bloomberg reported Tuesday afternoon that the company actually paid the hackers $100,000 to delete the data and keep mum about it.

It’s not unheard of for companies to pay ransom if their computers are locked up due to ransomware, said Ben Johnson, chief technology officer for the computer firm Obsidian Security.

“Payment can occur and is usually tied to a specific demand,”he said.

That said, “paying off hackers to keep them quiet and avoid breach disclosure laws is pretty rare and another matter altogether,” he noted.

Khosrowshahi in his blog post said that “effective today, two of the individuals who led the response to this incident are no longer with the company”

Those individuals were chief security officer Joe Sullivan and fired Craig Clark, a senior lawyer who reported to Sullivan, Bloomberg said.

Uber did not respond to a request for comment for more details about the allegations.

In a statement to its users, Uber said it did not believe they needed to take action.

“We have seen no evidence of fraud or misuse tied to the incident. We are monitoring the affected accounts and have flagged them for additional fraud protection,” the statement read.

The breach began when attackers accessed Github.com, a website used by software engineers, and obtained login credentials there for information stored on an Amazon Web Services account controlled by Uber, Bloomberg said.

In that account they found an archive containing rider and driver data.

That is similar to a 2014 case in which an Uber engineer put an access ID for Uber’s third-party cloud storage on Github.com, a website for software engineers.

Uber agreed to pay a $20,000 penalty for failure to provide timely notice of the breach to drivers.

- USA Today