Uber paid hacker $100G to keep data breach past year a secret

Isaac Cain
December 8, 2017

A 20-year-old man from Florida was responsible for the Uber Technologies Inc. breach that exposed the data of 57 million customers and 600,000 drivers, which the company kept secret for a year, Reuters reported Wednesday. Uber's "bug bounty" service, a program known in the industry, is hosted by HackerOne, a company that offers its platform to several tech companies, the report said.

Its CEO Marten Mickos refused to identify the individual that received the payout but did make it clear that it knows his identity since it requires someone to prove their identity by sending a government tax form before authorizing payment. But the company did not reveal who the hacker was or how the payment was made.

Uber never revealed any information about the hacker or how it paid him the money, but it later confirmed that 2.7 million United Kingdom customers had their personal details stolen, as regulators stepped in to investigate the breach. The hacker was not a part of the program, but found a way into the system and emailed the company demanding money.

Sources have now told Reuters that payment to the hacker was made through its bounty program, which monetarily rewards those who find bugs in the company's software and applications.

More news: Actress Sophie Turner Talks About 'Games of Thrones' And 'Dark Phoenix'

The man is "living with his mom in a small home trying to help pay the bills", a person close to the matter told Reuters. How Uber officials confirmed the deletion of the data has not been revealed, and a number of United States senators have asked for an investigation into the breach, citing questions about why Uber failed to contact law enforcement.

Uber suffered a data breach in 2014 as well and was discussing a settlement with the FTC while it haggled with the Florida hacker to keep the 2016 breach quiet.

Uber declined to pursue criminal charges after determining that the person didn't pose an additional threat and eventually paid the hacker after confirming their identity and making them sign a nondisclosure agreement, Reuters reported. He questioned why the affected individuals and regulators weren't made aware of the hack.

Mr. Khosrowshahi learned of the incident after becoming Uber's chief executive in August, and he's since terminated two employees implicated in its response, Joe Sullivan, Uber's former head of security, and a deputy, attorney Craig Clark. "We are changing the way we do business".

Other reports by LeisureTravelAid

Discuss This Article

FOLLOW OUR NEWSPAPER