Uber Used Bug Bounty Cash To Pay Hacker To Keep Quiet

Uber hasn't identified the hacker it paid $100,000 to last year but Reuters reports its a 20-year-old man in Florida.                  Getty Images

Uber hasn't identified the hacker it paid $100,000 to last year but Reuters reports its a 20-year-old man in Florida. Getty Images

Uber hasn't identified the hacker it paid $100,000 to last year, but Reuters reports its a 20-year-old man in Florida.

Uber paid the man to delete the data through a "bug bounty" program hosted by the company HackerOne.

A Florida man, who is 20, was responsible for the data breach previous year at Uber Technologies and was paid by the company to destroy that data through what is known as a bug bounty program that is normally used in identifying vulnerabilities, said three sources who are familiar with this situation.

Uber announced on November 21 that the personal data of 57 million passengers and 600,000 drivers were stolen in a breach that occurred in October 2016, and that it paid the hacker $100,000 to destroy the information.

HackerOne subsequently paid the person $100,000 in exchange for erasing the stole Uber data, the sources told Reuters.

Uber made the payment past year through a program created to reward security researchers who report flaws in a company's software, these people said.

The culprit's message was forwarded to Uber's "bug bounty" team and ultimately made its way to HackerOne, a third-party company that awards researchers for revealing security flaws in clients' products.

But it would appear that Uber used its bug bounty as a means to pay-off the hacker, who a source described as "living with his mom in a small home trying to help pay the bills" and noted Uber didn't want to pursue any legal action due to perceiving the man as no longer posing a threat to it.

Mr Khosrowshahi fired two of the company's security officials, chief security officer Joe Sullivan and attorney Craig Clark, for their failure to disclose the breach to law enforcement at the time, instead choosing to cover it up.

Sources told Reuters that then-CEO Travis Kalanick was aware of the breach and "bug bounty" payment in November of a year ago. He stepped down as Uber CEO in June and has taken a vow of silence too.

This all has a distinct whiff of bad practice about it, something which has plagued Uber of late, what with losing its London license and the rather nasty actions of former chief executive Travis Kalanick.

CEO Marten Mickos said that he could not comment on individual customers' programmes. HackerOne receives the personal information of the person paid in a W-9 or W-8BEN form before any payment can be made. They also analysed his machine to confirm that the data had been purged.

Recommended News

We are pleased to provide this opportunity to share information, experiences and observations about what's in the news.
Some of the comments may be reprinted elsewhere in the site or in the newspaper.
Thank you for taking the time to offer your thoughts.