Florida Man… pockets Uber cash to keep quiet about data breach

Uber paid Florida hacker $100K to destroy stolen info – report

Then-chief executive Travis Kalanick and chief security officer Joe Sullivan made the decision to pay the hackers and keep the breach a secret from its customers and drivers.

But now three people familiar with the events have told Reuters that Uber used its so-called "bug bounty" program normally used to identify small code vulnerabilities, to pay off the hacker (said to be an unidentified 20-year-old man in Florida).

HackerOne subsequently paid the person $100,000 in exchange for erasing the stole Uber data, the sources told Reuters.

Uber on November 21 announced that personal data of more than 57 million users including 600,000 of its drivers in the US, had been stolen by a breach that took place in October of 2016, and that it paid the person who hacked it $100,000 to have that information destroyed. It is important to note that while HackerOne hosts Uber's bug bounty program, it does not manage it, nor does it have a hand in setting Uber's prices for bounty payments.

The company never provided any information about the hacker or how he was paid. Hackers and security researchers are typically paid thousands of dollars for bugs they find, depending on their severity.

Its CEO Marten Mickos refused to identify the individual that received the payout but did make it clear that it knows his identity since it requires someone to prove their identity by sending a government tax form before authorizing payment. Uber's bug bounty service - as such a program is known in the industry - is hosted by a company called HackerOne, which offers its platform to a number of tech companies. Such a high payment would be "extremely unusual" and would represent an all-time record, according to one former HackerOne executive cited in the report. Two unidentified security team members at Uber who dealt with the breach were fired.

Furthermore, Reuters reports that "Uber made the payment to confirm the hacker's identity and have him sign a nondisclosure agreement to deter further wrongdoing".

Had the incident taken place after the introduction of the EU's General Data Protection Regulations (GDPR) next May, the penalties could have been more severe.

Related News: