He should have come forward with it immediately while still conducting the internal investigation. Not only do customers deserve to know as soon as possible, but it would have established trust in him as CEO and cemented that Kalanick needed to be gone.
You mean he should have told those affected without knowing what actually was leaked, the scope and impact of the leak, and the whereabout of the leaked data, or making sure there is enough safeguard in place so no one can repeat the same attack? Does not sound more responsible?
The keyword is responsible disclosure, not just disclosure.
Once they knew any something was leaked, no matter what, the responsible move is to inform everyone to give them a chance to lock down their shit. More time or knowledge of where the data is won't save anyone.
As for the "other attacker" excuse, how would that work? Just from knowing that data was leaked no new attacker can deduce the weakness used.
The PR damage to the company would be much greater due to people speculating a worst case scenario. Followed up by the fact people wouldn't care anymore when the investigation is finished.
