In a startling revelation, ride-hailing service Uber disclosed on Tuesday that hackers had stolen personal information of 57 million of its customers and drivers in a massive data breach last year.
What is even more shocking is the fact that Travis Kalanick, Uber co-founder and former CEO, learned of the hack in November 2016, a month after it happened, but still kept quiet.
Two hackers in the October 2016 attack "inappropriately accessed" a private GitHub repository used by Uber's software engineers. The hackers then applied the stolen credentials to breach an Amazon Web Services account, containing an archive of rider and driver information.
Uber's current CEO Dara Khosrowshahi, who took office in September, acknowledged the data breach in a blog post on Tuesday. He even apologised for the cover-up, which according to him shouldn't have happened as Uber has a legal obligation to report such hacks to both regulators and the people affected.
But Uber kept quiet. Rather than disclosing the breach immediately after it was discovered, the Kalanick-led management tried to conceal it by paying the hackers $100,000 to delete the compromised data.
Although Khosrowshahi now regrets the company's inexplicable failure to reveal the hack on time, the role of then-CEO Kalanick in the entire controversy is now revealed.
As part of its course correction, Uber has hired Matt Olsen, former general counsel of the US National Security Agency and director of the National Counterterrorism Centre, as an advisor to help restructure the company's security teams.
The company is also providing drivers, whose licences were stolen, free credit monitoring and identity theft protection.
"None of this should have happened, and I will not make excuses for it," Khosrowshahi said. "We are changing the way we do business."
Uber has already ousted chief security officer Joe Sullivan, who reportedly spearheaded the response to last year's hack. The company has also let go of Craig Clark, a senior lawyer who worked with Sullivan.
However, Kalanick, who actually needs to explain why he let that blunder happen, is still an active member of Uber's board of directors.
If Kalanick was indeed aware of the cyberattack and still didn't let his fellow board members know about it, then there could be an even bigger secret waiting to be unearthed.
Despite being the world's most valuable private technology company, Uber has earned a reputation for defying regulations under Kalanick's watch. From alleged bribes to illegal software to dubious pricing schemes, Uber has plenty of charges to deal with.
And while Khosrowshahi is currently busy repairing Uber's tainted image, Kalanick's association with the company will make his job a lot tougher.