A 20-year-old Florida hacker was responsible for a large data breach at Uber last year, according to Reuters. The company paid the hacker $100,000 to destroy the stolen information.
Uber announced last month that a hacker had stolen the personal data of 57 million users, including 600,000 drivers in the US, in a data breach that occurred in October 2016. The company also announced that it had paid the hacker to destroy the information.
Uber’s new CEO, Dara Khosrowshahi, fired two of the company’s top security executives at the same time he announced the breach. The incident, Khosrowshahi said, should have been disclosed to regulators when it was discovered a year ago.
While it’s unclear who authorized the payout to the data thief, sources told Reuters that then-CEO Travis Kalanick, who stepped down in June, was aware of both the breach and the payment.
The payment was made through a “bug bounty” program designed to reward security researchers who report software flaws, Reuters reported. Uber’s bug bounty service is hosted by a company called HackerOne. That company merely hosts Uber’s program, however; it has no say in how large payments can be or to whom they go. One former HackerOne executive told Reuters that a payout of $100,000 would be “an all-time record,” and that paying extortion money to a hacker who’d stolen information would also be highly unusual on the platform.
Related stories:
Cyberattacks: To notify or not to notify?
Uber competitor to launch insurance brokerage