Uber's disclosure that hackers accessed the personal information of 57 million riders and drivers previous year, a breach it didn't disclose publicly until Tuesday, adds new potential legal woes for the already troubled company.
Part of the reason nothing malicious has happened is because Uber acknowledges paying the hackers $100,000 to destroy the stolen information.
U.S. Representative Frank Pallone called on Wednesday for a hearing into Uber Technologies Inc's handling of a breach that exposed data about drivers and riders. Additionally, the license numbers of 600,000 drivers were exposed during the breach.
Instead of alerting users and authorities to the breach as required by law, Uber paid the hackers $100,000.
Uber would not confirm it paid this ransom.
After finding an archive of driver and rider information, the attackers emailed Uber demanding money.
Two hackers penetrated GitHub which is a private site used by Uber software engineers to obtain access to login credentials that were used to access an separate cloud-services provider.
London's transport regulator recently pulled Uber's operating license, saying the company failed to deal with public safety and security issues.
Khosrowshahi added: "None of this should have happened, and I will not make excuses for it".
Two hackers managed to access personal information they stole from a "third-party cloud-based service". The New York attorney general has opened an investigation into the data breach, a spokeswoman said.
"I'm just used to these breaches all the time; unfortunately it's a common occurrence", said traveler Ryan Eytcheson who was jumping in his Uber after flying in from Los Angeles.
The hack was discovered by an external team that was tasked with finding out the activities of Sullivan's security team which is said to have taken many decisions that have affected the company.
Uber is now negotiating a deal with a consortium led by SoftBank and Dragoneer Investment Group that plans to inject $1bn to $1.25bn into Uber, according to Reuters, but industry commentators said the reportedly tough negotiations could get tougher in the light of news of the breach.
Khosrowshahi said that what he learned about Uber's failure to notify users or regulators prompted corrective actions.
With no federal data privacy law, Uber's obligation to report the breach falls under a patchwork of data-breach laws in 48 states that come with differing and often complex notification requirements.
Under new data protection rules that come into force in the European Union next May, companies will have to identify and notify regulators of data breaches within 72 hours or face significantly increased penalties.
Khosrowshahi inherited a litany of scandals and a toxic workplace culture when he replaced Kalanick.