Uber paid 20-year-old Florida man to keep data breach secret
Dec 07 2017 by Johnny Bowman
Uber revealed last month that hackers stole data on more than 57 million riders and drivers in October 2016.
Stolen details included customer names, email addresses and phone numbers from around the world, although credit card details, bank account numbers and dates of birth were not believed to have been accessed.
Three people familiar with the incident said an unidentified Florida man contacted Uber after breaching a server in October and stealing information including the names and email addresses of ride-share users in the US and overseas, Reutersreported Wednesday. Sources familiar with the hack have told Reuters that the payment was made through a program created to reward bug hunters who report flaws.
HackerOne subsequently paid the person $100,000 in exchange for erasing the stole Uber data, the sources told Reuters.
Dara's Machiavellian moment: Did Khosrowshahi reveal details of the hack in part to throw Travis Kalanick under the bus (or car)?
Uber ended up firing its chief security officer Joe Sullivan and attorney Craig Clark over their roles in the data breach, so it looks like the company isn't exactly chuffed with how the situation was handled, even though it has yet to comment on the revelations Reuters' sources have been serving up.
Uber declined to pursue criminal charges after determining that the person didn't pose an additional threat and eventually paid the hacker after confirming their identity and making them sign a nondisclosure agreement, Reuters reported.
Uber spokesman Matt Kallman declined to comment, the report said. Uber's "bug bounty" service, a program known in the industry, is hosted by HackerOne, a company that offers its platform to several tech companies, the report said.
Uber has said hackers accessed names and email addresses, as well as the drivers' license numbers of 600,000 Uber drivers, by stealing the password to a cloud database hosted by Amazon Web Services.
In an August interview with Reuters, Sullivan, a former prosecutor and Facebook Inc security chief, said he integrated security engineers and developers at Uber 'with our lawyers and our public policy team who know what regulators care about'.