Uber’s new CEO Dara Khosrowshahi has inherited yet another scandal from Travis Kalanick. The ridesharing firm has revealed to Bloomberg that it hid an extortion-oriented cyberattack which exposed the personal info for roughly 57 million customers and drivers in October 2016, including names, email addresses and phone numbers. Instead of reporting the hack to the government and users, it paid hackers $100,000 to delete the info and keep quiet for more than a year.

There’s no evidence the data was abused, Uber said. However, Khosrowshahi isn’t about to defend his company’s past behavior. “I will not make excuses for it,” he said in a statement. Accordingly, Uber has fired chief security officer Joe Sullivan and one of his deputies, senior lawyer Craig Clark, for playing key roles in covering up the truth. It’s also asking former National Counterterrorism Center director Matt Olsen for help structuring Uber’s security processes and has stepped up its fraud monitoring for the affected accounts. Drivers in particular are getting free credit monitoring and identity theft protection.

News of the data breach underscores just how much of a challenge Khosrowshahi faces in rethinking Uber’s toxic corporate culture. The company was continuing its longstanding habit of ignoring the law even after it had just settled a New York state lawsuit over data security disclosures, and was entering talks with the FTC that would lead to a settlement over data handling. If it could face those kinds of legal threats and still decide that concealing an attack was more important than protecting users, it clearly needs major reforms.