On Tuesday, Bloomberg revealed that Uber paid hackers $100,000 to hide a cyber attack that exposed the personal data of 57 million users of the app in October 2016.
A total of 57 million names, email addresses and mobile phone numbers of the app's users around the world were downloaded by hackers.
"Given the current climate around data security and breaches it is astonishing that Uber paid off the hackers and kept this breach under wraps for a year", said David Kennerley, director of threat research at Webroot.
Uber's chief security officer, Joe Sullivan, and a lawyer who reported to him, Craig Clark, have been ousted for their roles in the breach and the cover-up.
"If Uber did indeed secretly pay-off the hackers to keep the breach quiet, then a possible cover up of the incident is problematic and must be investigated", Pallone said in a statement.
Two hackers penetrated GitHub which is a private site used by Uber software engineers to obtain access to login credentials that were used to access an separate cloud-services provider. "While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes", Khosrowshahi said in the emailed statement.
However, more than a fifth (21 percent) of respondents felt that such incidents probably happen all the time and so Uber's situation didn't bother them and over a quarter (27 percent) felt it was annoying but wouldn't stop them from using the service.
Khosrowshahi added: "None of this should have happened, and I will not make excuses for it". The company tracked down the hackers and pushed them to sign nondisclosure agreements, according to the people familiar with the matter. Yet whatever comes of that investigation, Pilgrim - whose office will oversee the new Notifiable Data Breach (NDB) scheme from February 2018 - called the breach "a timely reminder to Australian businesses and agencies of the reputational vale of good privacy practice, and the reputational risks that can follow mishandling of personal data". "You may be asking why we are just talking about this now, a year later", Khosrowshahi said.
British law carries a maximum penalty of 500,000 pounds ($662,000) for failing to notify users and regulators when data breaches occur. A hacker accessed Uber data on more than 100,000 drivers in May 2014. "Interestingly here it's the fact that Uber covered up the breach that seems to have got people's backs up, clearly showing how important honesty is when dealing with such incidents".
The hack is another controversy for Uber on top of sexual harassment allegations, a lawsuit alleging trade secrets theft and multiple federal criminal probes that culminated in Kalanick's ouster in June.