Uber Technologies acknowledged that one year ago it paid hackers $100,000 to hide a data breach that impacted 47 million accounts. The company fired then-chief security officer Joe Sullivan and deputy Craig Clark for both the breach itself and concealing it. The hackers got the names, emails and phone numbers of millions of riders as well as 600,000 drivers’ license numbers, although apparently Social Security numbers and credit card numbers were not accessed. Uber says it will inform those impacted by the breach in “coming days.”

The Wall Street Journal reports that, “while the scale of the breach pales in comparison to recent disclosures from Yahoo and Equifax, Uber’s attempts to keep it quiet raise questions about how many people knew about it and whether officers still at the company were part of the scheme.” An Uber spokesperson would not reveal who authorized the $100,000 payment, and former chief executive Travis Kalanick’s spokesperson also declined to comment.

“None of this should have happened, and I will not make excuses for it,” said chief executive Dara Khosrowshahi. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”

The breach took place in October 2016, and when the company discovered it in November, it took “immediate steps” to prevent further damage — but it did not disclose what had happened to “authorities, customers and drivers.” When Khosrowshahi, who has been in his position for less than three months, found out, “he ordered an investigation into the circumstances behind the breach.”

Uber will offer “free credit monitoring for affected drivers and additional monitoring for fraud on the accounts of the customers affected.” It also brought on cybersecurity expert/former National Security Agency general counsel Matt Olsen to “advise the company” and hired FireEye-owned Mandiant for security monitoring.

Because privately held firms are not compelled by federal law to report data breaches, “Uber’s obligation to report the breach falls under a patchwork of data-breach laws in 48 states that come with differing and often complex notification requirements.”

Gartner analyst Avivah Litan explained, “companies that fail to notify users in a timely manner following a breach are technically in violation of these laws, but prosecutions are extremely rare.” This year the SEC began an investigation into whether Yahoo disclosed a 2014 breach “in a timely manner.”

Related:
New Uber CEO Knew of Hack for Months, The Wall Street Journal, 11/23/17