UBER PAID A 20-YEAR-OLD TO KEEP DATA BREACH A SECRETDate: 2017-12-07
A 20-year-old Florida man was responsible for the large data breach at Uber Technologies last year and was paid by the company to destroy the data through a so-called "bug bounty" programme normally used to identify small code vulnerabilities, three people familiar with the events have told Reuters.
On November 21 Uber announced that the personal data of 57 million passengers and 600,000 drivers were stolen in a breach that occurred in October 2016, and that the company paid the hacker $100,000 to destroy the information. But Uber did not reveal the information about the hacker nor how the company paid him that amount of money.
Uber made the payment through a programme designed to reward security researchers who report flaws in the company's software. Uber's bug bounty service – as such a programme is known in the industry – is hosted by a company called HackerOne, which offers its platform to a number of tech companies.
Reuters was unable to establish the identity of the hacker or another person who sources said helped him. Uber spokesman Matt Kallman declined to comment on the matter.
Dara Khosrowshahi, the newly appointed Uber Chief Executive, fired two Uber top security officials when he announced the breach last month, stating the incident should have been disclosed to regulators at the time it was discovered, about a year before.
Sources said then-CEO Travis Kalanick was aware of the breach and bug bounty payment in November last year. Kalanick, who stepped down as Uber's CEO in June, declined to comment on the matter, according to his spokesman.
HackerOne hosts Uber's bug bounty programme but does not manage it, and plays no role in deciding whether payouts are appropriate or how large they should be.
HackerOne's CEO, Marten Mickos, said he could not discuss an individual customer's programs. "In all cases when a bug bounty award is processed through HackerOne, we receive identifying information of the recipient in the form of an IRS W-9 or W-8BEN form before payment of the award can be made," Mickos said, referring to the US Internal Revenue Service forms.
According to a source, Uber made the payment to confirm the hacker's identity and have him sign a nondisclosure agreement to discourage further wrongdoing. Uber also conducted a forensic analysis of the hacker's machine to make sure the data had been purged, said the source.