A 20-year-old Florida man was behind last year’s major data-breach at Uber, three people familiar with the events have told Reuters.
The man was reportedly paid by the ride-hailing firm to destroy the data through a so-called “bug bounty” programme normally used to identify small code vulnerabilities
Uber announced last month that the personal data of 57 million users, including 600,000 drivers in the United States, were stolen in a breach that occurred in October 2016, and that it paid the hacker $100,000 to destroy the information. But the company did not reveal any information about the hacker or how it paid him the money.
Uber made the payment last year through a programme designed to reward security researchers who report flaws in a company’s software, the people said. Uber’s bug bounty service is hosted by a company called HackerOne, which offers its platform to a number of tech companies.
Newly appointed Uber Chief Executive Dara Khosrowshahi fired two of Uber’s top security officials when he announced the breach last month, saying the incident should have been disclosed to regulators at the time it was discovered, about a year before.
It remains unclear who made the final decision to authorise the payment to the hacker and to keep the breach secret, though the sources said then-CEO Travis Kalanick was aware of the breach and bug bounty payment in November of last year.
Kalanick, who stepped down as Uber CEO in June, declined to comment on the matter, according to his spokesman.
A former HackerOne executive said that a $100,000 payment through a bug bounty programme would be extremely unusual, and would in fact represent an “all-time record.”
Security professionals said rewarding a hacker who had stolen data also would be well outside the normal rules of a bounty program, where payments are typically in the $5,000 to $10,000 range.