The company paid hackers $100,000 to delete the data and keep the breach quiet, and did not report the incident. The ride-hailing company said it has fired chief security officer Joe Sullivan — previously security boss at Facebook — for his role in hiding the data breach.
"At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures," Uber said in a statement. It did not address the payment.
New York Attorney General Eric Schneiderman launched an investigation into the hack, according to press secretary Amy Spitalnick.
Earlier this year, Uber agreed to 20 years of privacy audits after the FTC said the ride-hailing service had "failed consumers" after a 2014 data breach.
In that case, the FTC said: "Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees' access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data."
The data breaches, while small in comparison to Yahoo's 3 billion-account cyberattack, is the latest of several missteps within the ride-hailing giant. The company has fielded scrutiny over allegations of sexual harassment and workplace misconduct, has lost numerous executives amid dissent within the board of directors, and has sparred with regulators from London to Singapore.
Former CEO Travis Kalanick knew about the 2016 hack.
"You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it," Khosrowshahi said of the breach.
Bloomberg and The New York Times previously reported details of the data breach.
— CNBC's Paayal Zaveri contributed to this report.