Uber paid $100,000 to a 20-year-old hacker from Florida to cover up a 2016 data breach, which the company revealed late in November this year, Reuters reported, citing sources. The hacker had reportedly stolen 57 million users' personal data, including 600,000 US drivers employed by the company.
The pay-off, disguised as a bug bounty, was reportedly handed out to the hacker via HackerOne — the company that hosts Uber's bug bounty service, but does not oversee the programme or make decisions on payouts — to cover up the breach and destroy the stolen data, the sources added.
Uber's security team did not consider the hacker as a threat after the pay-off was made and chose not to prosecute the hacker, who a source reportedly described as "living with his mom in a small home trying to help pay the bills".
The identity of the Florida hacker and another alleged cybercriminal also involved in the hack is still unknown, and Uber is yet to comment on the matter.
Meanwhile, Reuters cited unspecified sources familiar with the matter as saying that the then-Uber CEO Travis Kalanic was aware of the breach and the bug bounty payment, which was made in November 2016. However, it still remains unclear as to who at Uber authorised the pay-off to the hacker.
Uber paid the hacker to confirm his identity and used forensic analysis on the hacker's system to ensure that all the stolen data had been wiped out, two unnamed sources told the news agency. The ride-hailing firm also reportedly made the hacker sign an NDA (non-disclosure agreement).
The sources also revealed that the Florida-based hacker paid a second alleged cybercriminal, who was also involved in the breach. This second individual reportedly provided services that allowed the hacker to access GitHub, to steal credentials that would provide them access into Uber's data.
GitHub reportedly said that the Uber hack did not involve a failure of its security systems. "Our recommendation is to never store access tokens, passwords, or other authentication or encryption keys in the code," the company reportedly said.
Uber's decision to pay the hacker an amount as large as $100,000, even in the form of a bug bounty is an uncommon move. According to a former HackerOne employee, the payout would likely be an "all-time record" for a bug bounty payment. Security researchers are reportedly typically paid anywhere between $5,000 to $10,000 for reporting vulnerabilities.
Uber's singular decision to cover up the breach and pay-off the hacker using its bug bounty programme was not in line with industry standards. "If it had been a legitimate bug bounty, it would have been ideal for everyone involved to shout it from the rooftops," Luta Security founder Katie Moussouris, who is a former HackerOne executive, told Reuters. "The creation of a bug bounty programme doesn't allow Uber, their bounty service provider, or any other company the ability to decide that breach notification laws don't apply to them."
Since the Uber hack came to light, the firm has come under increased scrutiny from regulators within the US and other countries. Last month, Uber also revealed that over 2.7 million users and drivers in the UK had been affected by the breach. Apart from facing investigations by the US government, the firm and the details of the breach are under investigation by Britain's data regulator, the ICO (Information Commissioner's Office).