Uber recently admitted to covering up a massive cybersecurity breach by paying hackers $100,000 to delete the personal data of 57 million customers, more than 600,000 of which were U.S. drivers. The ride-hailing company’s new CEO Dara Khosrowshahi came clean about the 2016 incident in late November, admitting it should have been disclosed publicly shortly after it occurred. But he omitted several pieces of information, including the identity of the hackers and how the company disguised its payment to them.
A Reuters report published on Thursday shines some light on the incident. Uber reportedly paid a 20-year-old hacker from Florida through its bounty program, a service usually put in place by companies to reward white hat hackers for discovering and reporting bugs, according to “three people familiar with the matter.”
The company’s bounty service is hosted by a third-party company called HackerOne, which connects businesses with cybersecurity researchers. An executive from the company told Reuters that a $100,000 payment through its service is “highly unusual” as most ethical hackers are paid between $5,000 and $10,000 for reporting a vulnerability. The service only hosts Uber’s bounty program, it does not run it, meaning the decision to pay the hacker was left entirely to executives at Uber.
HackerOne CEO Marten Mickos told Reuters that his company is given information regarding the identity of a hacker, but would not disclose who stole private data from Uber customers. We still don’t know much about the true identity of that person, though one source said it was a 20-year-old from Florida who is “living with his mom in a small home trying to help pay the bills.” The source also told Reuters that Uber decided not to press charges because the hacker didn’t pose a further threat.
Reuters further reports, “Uber made the payment to confirm the hacker’s identity and have him sign a nondisclosure agreement to deter further wrongdoing. Uber also conducted a forensic analysis of the hacker’s machine to make sure the data had been purged, the sources said.”
The report gives us a better look at how Uber hid its secrets, but several questions remain unanswered. It’s still unclear who made the decision to pay off the hacker and tell all those who knew about it to keep quiet. The identity of a second person who grabbed Uber credentials from GitHub is also unknown.
While it may appear Uber effectively dealt with the issue, its failure to reveal the security breach was poor judgment and against U.S. state laws.
New York Attorney General Eric Schneiderman said his team has already launched an investigation into the incident. The Connecticut attorney general will also intervene. Additionally, authorities in Europe are threatening to punish the ride-hailing giant. Italy’s defense protection chief is now investigating what he calls “the obvious lack of adequate security measures,” and several agencies in the U.K.—the Information Commissioner’s Office, National Crime Agency, and National Cyber Security Centre—have also launched investigations.
Uber recently fired Joe Sullivan, its chief security officer, and deputy Craig Clark for their handling of the incident.