While Russian agents are increasingly becoming a top tech concern, corporate hacking is definitely right beside it on the list. One tech juggernaut in particular was the victim of a huge data breach not long ago, and we didn’t even know it — until now.

According to the New York Times, two hackers stole over 57 million Uber rider and driver accounts, including names, phone numbers and email addresses.

The company paid the hackers $100,000 to delete the data, then tracked them down and forced them to sign NDAs. Uber then proceeded to pretend that the payment was a bug bounty, a payment tech companies give to white hat hackers in exchange for information about their company’s security weaknesses.

The cover-up scheme was arranged by Uber’s former chief security officer, Joe Sullivan, according to several anonymous Uber former and current employees. Sullivan, who was fired, did so under the eye of controversial former chief executive Travis Kalanick. Kalanick was forced out of the CEO chair in June, but still remains a member of the board.

Spokespeople for Sullivan and Kalanick refused to comment.

With those two out of the picture, current Uber CEO Dara Khosrowshahi has been left to clean up their mess.

“None of this should have happened, and I will not make excuses for it,” Khosrowshahi wrote in a blog post on Uber’s website. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”

The company isn’t just in trouble with its customers and privacy advocates following these revelations — it could also be in trouble with the law.

The FBI has released guidelines telling tech companies not to pay hackers ransom money for data. However, no laws have been passed making doing so illegal.

What is illegal is destroying forensic evidence of a crime; in forcing the hackers to delete the data they stole, Uber may have violated this FCC rule.

And Uber might be in trouble with the states, too. Disclosing the theft of drivers licence information is mandatory in several states. And if the license information wasn’t encrypted, California state law states that Uber should have disclosed that it was hacked immediately.

One state has already started its investigation: the New York attorney general’s office confirmed on Tuesday that it is opening an investigation on the matter.