New York — Uber Technologies will pay $148m to settle claims related to a large-scale data breach that exposed the personal information of more than 25 million of its US users, Iowa’s attorney general said on Wednesday.

The settlement, spanning 50 states, is the biggest data-breach payout in history, and marks the most sweeping rebuke by regulators against the San Francisco-based company, which earned a reputation for skirting rules in its push to dominate the ride-hailing market.

The states’ agreement stemmed from data compromised in 2016 by hackers, who obtained 607,000 US driver’s licence numbers, as well as tens of millions of consumer e-mail addresses and phone numbers, a leak that Uber failed to disclose for more than a year after discovering the attack.

"Failing to report data breaches as soon as possible can harm consumers," said Iowa attorney general Tom Miller.

The penalty comes at a pivotal time for Uber CEO Dara Khosrowshahi, who is laying the groundwork for a 2019 initial public offering while working to distance the brand from the controversial growth-at-all-costs approach established under his predecessor, co-founder Travis Kalanick.

Bloomberg News reported last November that Kalanick learned of the 2016 breach just a month after hackers stole the personal data on 57 million of Uber’s customers around the world, including 25.6 million riders and drivers in the US.

But the company concealed the breach from authorities and instead paid the hackers $100,000 to delete the stolen data and keep the incident quiet.

After the episode came to light, Uber ousted its security chief and disclosed the breach to the US Federal Trade Commission, which had already reprimanded the company for a similar data breach from 2014.

"None of this should have happened, and I will not make excuses for it," said Khosrowshahi, who replaced Kalanick last year in a statement in November.