Uber said Tuesday hackers compromised personal data from some 57 million riders and drivers of the ridesharing service in a 2016 incident.
"None of this should have happened, and I will not make excuses for it," chief executive Dara Khosrowshahi said in a statement.
Uber paid the hackers $100,000 to destroy the data, not telling riders or drivers whose information was at risk, according to a source familiar with the situation.
Some Australian users were part of the global breach, Uber confirmed after informing Australia's privacy commissioner.
It has not specified how many of its 3.1 million Australian riders were caught up in the breach.
“We are in the process of notifying various regulatory and government authorities and we expect to have ongoing discussions with them,” Uber Australia spokesman Mike Scott told SBS World News.
“Until we complete that process we aren't in a position to get into any more details,” he said.
SBS World News has contacted the Australian Cyber Security Centre – which brings together Australia’s cybersecurity agencies – for a comment.
Co-founder and ousted chief Travis Kalanick was advised of the breach shortly after it was discovered, but it was not made public until Uber's new boss Mr Khosrowshahi found out.
Mr Khosrowshahi said he 'recently learned... two people outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use'.
He said the breach did not impact on Uber's corporate systems or infrastructure.
Uber claims its forensic experts did not find evidence that the hackers had downloaded any information relating to trip location history, credit card numbers, bank account numbers, social security numbers or date of births.
But the hackers did get their hands on the names and licence numbers of about 600,000 US drivers, and the names, email addresses and mobile phone numbers of 57 million Uber users around the world.
"At the time of the incident, we took immediate steps to secure the data and shut down further unauthorised access by the individuals," Mr Khosrowshahi said.
"We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed.
"We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts."
Mr Khosrowshahi said he ordered a 'thorough investigation' into how this data breach happened and how it was handled by Uber.
He said Uber had individually notified the drivers whose data had been downloaded, and provided them with free credit monitoring and identity theft protection.
SBS News has contacted Uber for further comment on the matter.
- with AFP
