- How to watch ‘Million Dollar Listing Los Angeles’ online free 1 Year Ago
- The trailer for the final episodes of ‘Unbreakable Kimmy Schmidt’ is here Today 1:52 AM
- Guy gets roasted for throwing razor in the toilet to protest Gillette Wednesday 9:23 PM
- Experts warn of uptick in ‘Ryuk’ ransomware after hackers net $3.7 million Wednesday 7:03 PM
- Video game composer boycotts Gillette after anti-toxic masculinity ad Wednesday 6:05 PM
- Steve Carell sitcom ‘Space Force’ heading to Netflix Wednesday 5:30 PM
- Ocasio-Cortez’s ‘run train’ phrase becomes conservative sex controversy Wednesday 5:25 PM
- ‘Into’ is a reminder that queer businesses can be hurt by straight leaders Wednesday 5:13 PM
- TSA agents are the latest tool in the government shutdown meme war Wednesday 4:22 PM
- YouTube still hosting bestiality images year after crackdown pledge Wednesday 4:13 PM
- YouTuber quits fight after Darth Vader fan film claimed by Disney Wednesday 3:26 PM
- Millions of Fortnite accounts exposed via Epic Games website exploit Wednesday 2:26 PM
- A man found a camera in his Airbnb and the company didn’t seem to care Wednesday 2:00 PM
- A redditor planted an Easter egg in Hulu’s Fyre Fest doc Wednesday 1:51 PM
- This new revelation about Woody from ‘Toy Story’ will blow your mind Wednesday 1:35 PM
Uber reportedly paid a 20-year-old hacker to conceal massive data breach
Photo via Casimiro PT/Shutterstock (Licensed)
Uber recently admitted to covering up a massive cybersecurity breach by paying hackers $100,000 to delete the personal data of 57 million customers, more than 600,000 of which were U.S. drivers. The ride-hailing company’s new CEO Dara Khosrowshahi came clean about the 2016 incident in late November, admitting it should have been disclosed publicly shortly after it occurred. But he omitted several pieces of information, including the identity of the hackers and how the company disguised its payment to them.
A Reuters report published on Thursday shines some light on the incident. Uber reportedly paid a 20-year-old hacker from Florida through its bounty program, a service usually put in place by companies to reward white hat hackers for discovering and reporting bugs, according to “three people familiar with the matter.”
The company’s bounty service is hosted by a third-party company called HackerOne, which connects businesses with cybersecurity researchers. An executive from the company told Reuters that a $100,000 payment through its service is “highly unusual” as most ethical hackers are paid between $5,000 and $10,000 for reporting a vulnerability. The service only hosts Uber’s bounty program, it does not run it, meaning the decision to pay the hacker was left entirely to executives at Uber.
HackerOne CEO Marten Mickos told Reuters that his company is given information regarding the identity of a hacker, but would not disclose who stole private data from Uber customers. We still don’t know much about the true identity of that person, though one source said it was a 20-year-old from Florida who is “living with his mom in a small home trying to help pay the bills.” The source also told Reuters that Uber decided not to press charges because the hacker didn’t pose a further threat.
Reuters further reports, “Uber made the payment to confirm the hacker’s identity and have him sign a nondisclosure agreement to deter further wrongdoing. Uber also conducted a forensic analysis of the hacker’s machine to make sure the data had been purged, the sources said.”
The report gives us a better look at how Uber hid its secrets, but several questions remain unanswered. It’s still unclear who made the decision to pay off the hacker and tell all those who knew about it to keep quiet. The identity of a second person who grabbed Uber credentials from GitHub is also unknown.
While it may appear Uber effectively dealt with the issue, its failure to reveal the security breach was poor judgment and against U.S. state laws.
New York Attorney General Eric Schneiderman said his team has already launched an investigation into the incident. The Connecticut attorney general will also intervene. Additionally, authorities in Europe are threatening to punish the ride-hailing giant. Italy’s defense protection chief is now investigating what he calls “the obvious lack of adequate security measures,” and several agencies in the U.K.—the Information Commissioner’s Office, National Crime Agency, and National Cyber Security Centre—have also launched investigations.
Uber recently fired Joe Sullivan, its chief security officer, and deputy Craig Clark for their handling of the incident.
Phillip Tracy is a former technology staff writer at the Daily Dot. He's an expert on smartphones, social media trends, and gadgets. He previously reported on IoT and telecom for RCR Wireless News and contributed to NewBay Media magazine. He now writes for Laptop magazine.