The personal information belonging to about 57 million Uber customers and drivers was stolen by hackers last October, but the company paid off the hackers and kept the breach hidden for a year leading to its chief security officer being fired this week.

The stolen data included names, email addresses and phone numbers of 50 million Uber riders and 7 million drivers. The stolen information of the drivers also included 600,000 U.S. drivers' license numbers, CEO Dara Khosrowshahi said in a statement.

The breach occurred when attackers accessed Github.com, a website used by software engineers, and obtained login credentials there for information stored on an Amazon Web Services account controlled by Uber, Bloomberg said. In that account, they found an archive containing rider and driver data.

"You may be asking why we are just talking about this now, a year later. I had the same question," Khosrowshahi wrote.

After asking for an investigation, Uber discovered that instead of notifying regulators and the affected individuals it had "identified the individuals and obtained assurances that the downloaded data had been destroyed," he wrote. The company actually paid the hackers $100,000 to delete the data and remain quiet about the situation, Bloomberg reported Tuesday. Companies paying ransom is not unheard of, but it is also not a smart tactic, said Paul Lipman, CEO of antivirus company BullGuard.

"If you pay a hacker’s ransom, what guarantee do you have that they'll really delete your data? You can hardly rely on a cybercriminal to hold up their end of that bargain. Furthermore, it just serves to encourage further hacking, making all of us less secure.”

The New York State Office of the Attorney General has opened an investigation into the newly revealed breach, said press secretary Amy Spitalnick. Two of the people who led the response, chief security officer Joe Sullivan and senior lawyer Craig Clark who reported to Sullivan have both been fired, Bloomberg said.

In a statement to its users, Uber said it did not believe they needed to take action. "We have seen no evidence of fraud or misuse tied to the incident. We are monitoring the affected accounts and have flagged them for additional fraud protection," the statement read.

Source: usatoday.com