Wednesday, 12 December, 2018

Uber paid 20-year-old Florida man to keep data breach secret

T002849Z_511325468_RC1EDDED17B0_RTRMADP_3_UBER-CYBER-PAYMENT.JPG Uber paid 20-year-old Florida man to keep data breach secret
Nellie Chapman | 07 December, 2017, 17:44

A 20-year-old man from Florida was responsible for the Uber Technologies Inc. breach that exposed the data of 57 million customers and 600,000 drivers, which the company kept secret for a year, Reuters reported Wednesday. The stolen data included personal information such as email addresses, names, and driver's license numbers.

Three people familiar with the incident said an unidentified Florida man contacted Uber after breaching a server in October and stealing information including the names and email addresses of ride-share users in the US and overseas, Reuters reported Wednesday. The company didn't say how the hacker was paid, or who he was. As per a report by Reuters, the payment to the hacker was made via Uber's bug bounty program hosted by HackerOne.

At the time of the incident, Uber approached the two hackers and "obtained assurances that the downloaded data had been destroyed", and upped the security of the third party cloud-based storage account they had accessed, he added.

Remember the unidentified man that was paid $100,000 to delete Uber's stolen data?

Sources have now told Reuters that payment to the hacker was made through its bounty program, which monetarily rewards those who find bugs in the company's software and applications.

"In all cases when a bug bounty award is processed through HackerOne, we receive identifying information of the recipient in the form of an IRS W-9 or W-8BEN form before payment of the award can be made", HackerOne CEO Marten Mickos told Reuters. Uber declined to comment on the matter to the news outlet. Since that time, CEO Travis Kalanick stepped down and was replaced by Dara Khosrowshahi in August.

Uber received an email past year from an anonymous person demanding money in exchange for user data, and the message was forwarded to the company's bug bounty team in what was described as Uber's routine practice for such solicitations, according to three sources familiar with the matter.

The revelation has gotten the startup in hot water with regulators and prosecutors.