As part of a settlement agreement, Uber has admitted to covering a 2016 data breach that affected 57 million passengers and drivers.

The company is also cooperating with the prosecution of former security chief Joseph Sullivan for his alleged role in covering up the attack.

U.S. Attorney Stephanie Hinds said Uber waited about a year before reporting the breach after a new executive “established a strong tone from the top” regarding compliance.

Hinds said that the decision not to prosecute Uber for late disclosure was based on the swift investigation and disclosures from the new management. The decision was also reached due to Uber’s agreement with the Federal Trade Commission (FTC) in 2018 to maintain a comprehensive data protection program for 20 years.

Uber paid a C$148 million settlement fee to all 50 states and Washington D.C. in 2018 for the company’s decision to cover up the data breach.

Uber’s security chief Sullivan was indicted for his role in covering up the attack, with prosecutors accusing Sullivan of agreeing to pay the hackers C$100,000 in bitcoin and ensuring they sign nondisclosure agreements falsely stating they had not stolen data.

The sources for this piece include an article in Reuters.