The hack, which is said to have compromised personal data including names, email addresses, phone numbers and licence plates, was allegedly covered up by the company’s Chief Executive at the time, Travis Kalanick.
The company paid out $100,000 (£75,000) to hackers to have the data deleted and the breach covered up.
Kalanick stepped down as CEO in June of this year after major investors demanded his resignation.
Two employees from Uber are said to have been dismissed over the breach; Chief Security Officer, Joe Sullivan and deputy Craig Clark.
Uber confirmed that no other data was accessed and that credit card details of its customers remain safe. It has also offered free identity theft protection and credit monitoring to those drivers whose licence numbers had been compromised.
Current Chief Executive, Dara Khosrowshahi, who took over in September 2017, said, ‘None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.’
Chris Hoofnagle of the Berkeley Centre for Law and Technology commented ‘The only way one can have direct liability under security breach notification statues in the US is to not give notice. Thus, it makes little sense to cover up a breach.’
Khosrowshahi commented that the data ‘…had been stolen from a third-party cloud-based service – understood to be Amazon Web Services, which the attackers accessed using legitimate passwords stolen via coding website GitHub.’
Uber joins a growing list of high-profile businesses that have been targeted in recent years, along side the likes of Yahoo, Deloitte, Equifax and Bupa.