Uber has taken plenty of wrong turns over the past few years. But the latest is certainly one of the most damaging. Bloomberg has revealed that the company concealed for more than a year a massive data breach that exposed sensitive records of millions of drivers and customers. The breach, which occurred in October 2016, was reportedly hidden by Uber’s chief security officer, Joe Sullivan, and others. Sullivan and one of his deputies have been ousted by the company. Travis Kalanick, the firm’s cofounder and former CEO, was made aware of the breach not long after it happened.

In a press release published shortly after Bloomberg’s story appeared, Uber’s current CEO, Dara Khosrowshahi, said hackers had been able to download files containing a significant amount of information, including the names and driver’s license numbers of around 600,000 drivers in the United States, as well as personal information such as names, e-mail addresses, and mobile phone numbers of 57 million Uber users around the world. The company says outside forensic experts it called in to analyze the breach haven’t seen any indication that credit card numbers, bank account details, and Social Security numbers have been downloaded. But it didn’t say that such details hadn’t been breached.

As with previous mega-hacks, more details will emerge in coming days and weeks. But there are already pressing questions that demand swift answers. Who exactly within Uber’s staff knew about the hack after it occurred, and how many people were actively involved in the cover-up, which involved paying the hackers $100,000 to delete data and keep the breach quiet? Was anyone on Uber’s board told about the intrusion at the time? If not, why not? And why did Uber fail to inform regulators swiftly about the hack?