New details of Uber hack and bug bounty cover-up come to light

Share

Traditionally, these programs are not used to reward those who hack and extort a company.

Uber's CEO, Dara Khosrowshahi, said in a blog post about the breach that "two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use", and that no payment data was exposed.

A Reuters report now casts a bit more light on how the company concealed its blackmail payment-the money was paid out to an as-yet-unidentified Florida man through Uber's bug bounty program, now managed by HackerOne. HackerOne's CEO said that he couldn't discuss an individual customer's programs.


The unnamed hacker was paid $100,000 by Uber to destroy all the data he'd nicked back in October 2016, according to sources talking to Reuters, and was paid by the ride-hailing company through a "bug bounty" program. According to the publication's sources, Uber paid the hacker through a program created to reward security researchers reporting flaws in its software, the Uber's bug bounty service, which offers its platform to tech companies. Reuters did not discover the name of the hacker. As per a report by Reuters, the payment to the hacker was made via Uber's bug bounty program hosted by HackerOne. The company also reportedly ensured the data was deleted by undergoing a forensic analysis of the hacker's computer. He said the incident should have been disclosed to regulators at the time it was discovered previous year, Reuters reported. The hacker is described in the report as "living with his mom in a small home trying to help pay the bills", and the report notes one source saying Uber didn't want to prosecute an "individual who did not appear to pose a further threat".

"None of this should have happened, and I will not make excuses for it". Khosrowshahi fired two employees over the cover-up. "We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers". It is unclear if he informed the legal department of the breach.

Share