A former Uber executive has been charged with covering up a data breach affecting 57 million app users and drivers.

Joe Sullivan, Uber’s former chief security officer, is facing obstruction of justice and other charges stemming from a 2016 data breach. The breach occurred when two men hacked a third-party server to steal the personal information of Uber users and drivers and demanded a $100,000 ransom to delete the files.

The two hackers – American Brandon Glover and Canadian Vasile Mereacre –  stole 57 million Uber user and driver files in the cyberattack. Uber officials failed to report the data breach for a year and instead paid the ransom and then tracked down the two men and had them sign nondisclosure agreements.

Almost a year after the data breach, new CEO Dara Khosrowshai took over at Uber and reported the data breach to police. Glover and Mereacre were arrested and pled guilty to the hack. A third unknown suspected hacker is still at large.

Glover and Mereacre also are suspected of hacking a LinkedIn-owned company, also in 2016, but LinkedIn officials refused to pay the ransom demand and instead reported the breach to authorities.

Uber paid $148 million to the Federal Trade Commission to settle a national investigation into the company’s failure to report the data breach and notify users and drivers their personal information had been compromised.

Sullivan left Uber in November 2017 and currently serves as chief security officer for CloudFlare, an internet infrastructure company.