Uber has said that hackers compromised personal data from some 57 million riders and drivers in a breach kept hidden for a year.
Two members of the Uber information security team who "led the response" that included not alerting users that their data was breached were let go from the San Francisco-based company effective on Tuesday, according to chief executive Dara Khosrowshahi.
Stolen files included names, email addresses, and mobile phone numbers for riders, and the names and driver license information of some 600,000 drivers, according to Uber.
Uber paid the hackers 100,000 to destroy the data, not telling riders or drivers whose information was at risk, according to a source familiar with the situation.
Co-founder and ousted chief Travis Kalanick was advised of the breach shortly after it was discovered, but it was not made public until Uber's new boss Khosrowshahi learned of the incident. "All companies would be wise to remember this: cock-ups are bad, but cover-ups can kill you," computer security specialist Graham Cluley said in a blog post.
Yahoo and Equifax were hit with criticism for how long it took the companies to disclose hacks.
McAfee vice president of labs Vincent Weafer described Uber's decision to pay the hackers off as unusual, and questioned whether it was wise. "You are relying on trust among thieves that the data has not been copied or leaked in any way," Weafer said.
Uber is notifying drivers whose license numbers were swiped, and offering them credit and identity theft protections. The company also said it is notifying regulators, and monitoring affected rider accounts for signs of fraud.