Uber paid hacker $100G to keep data breach past year a secret

Marco Green
December 7, 2017

Uber paid a 20-year old man from Florida $100,000 to delete the stolen personal details of 57m customers and drivers, 2.7m of which were based in the UK.

The hacker wasn't a participant in the bug bounty program, Reuters reported, and instead emailed the company demanding money.

Sources familiar with the hack told Reuters the payment was made through a program created to reward bug hunters who report flaws in a company's software. He said the incident should have been disclosed to regulators at the time it was discovered previous year, Reuters reported. Now, details about the hacker's identity are starting to come out - he is a 20-year-old from Florida who lives with his mother and wanted to help pay the bills, Reuters reports. Uber is also believed to have conducted a forensic analysis of the hacker's computer to make sure that all data on the company had been wiped.

Newly-appointed Uber chief executive Dara Khosrowshahi fired two of Uber's top security officials when he announced the breach last month, saying the incident should have been disclosed to regulators at the time it was discovered, about a year before.

Market Pulse Stories are Rapid-fire, short news bursts on stocks and markets as they move.

The data, which included names, email addresses and mobile phone numbers - but not trip location history, credit card and bank account numbers, and dates of birth - was downloaded from Amazon Web Services (AWS) storage using Uber's log-in credentials stolen from a private area of the web-based GitHub version control repository for developers.

Uber spokesman Matt Kallman declined to comment to Reuters. For Uber, their bug bounty program is hosted by HackerOne.

Reuters' sources said that ex-CEO Travis Kalanick was aware of both the breach and payment when he led the company. "Our recommendation is to never store access tokens, passwords, or other authentication or encryption keys in the code", the company said in a statement.

Moussouris added that the failure to report the breach was a grievous error: "The creation of a bug bounty program doesn't allow Uber, their bounty service provider or any other company the ability to decide that breach notification laws don't apply to them".

Other reports by Click Lancashire

Discuss This Article