Tech

Uber paid 20-year-old man to hide hack, destroy data

A hacker from Florida was allegedly paid $100,000 to keep his mouth shut and delete stolen user data.

Written by Charlie Osborne, Contributing Writer Dec. 7, 2017 at 2:15 a.m. PT

Uber reportedly paid a hacker from Florida $100,000 under the guise of a bug bounty program to keep quiet about a data breach which exposed information belonging to 57 million users.

According to three unnamed sources, as reported by Reuters, a 20-year-old was responsible for the catastrophic data breach, rather than a sophisticated group or state-sponsored team.

Security

The data breach came to light in November, in which the names, email addresses, and phone numbers of 57 million Uber users worldwide were stolen, including 600,000 drivers' license copies.

The breach, dating back to 2016, was apparently caused after hackers compromised a private GitHub repository and harvested engineering credentials later used to access an Amazon Web Services (AWS) account and the information stored within.

Last month, Uber CEO Dara Khosrowshahi confirmed the breach, saying that "we have to be honest and transparent as we work to repair our past mistakes."

The hackers in question were paid $100,000 to delete the information and keep quiet under the guise of the legitimate bug bounty program offered by Uber on the HackerOne bug bounty platform.

However, according to Reuters, it was one lone wolf -- and a young US citizen at that -- who was responsible.

Under the terms of the deal, the unnamed man had to sign a nondisclosure agreement, agree not to compromise Uber again, and the company also conducted a forensic examination of his machine to make sure the data had been purged.

Speaking to the publication, one source described the hacker as "living with his mom in a small home trying to help pay the bills."

Regulators were not informed of the incident at the time of the breach.

When a valid vulnerability is discovered and submitted through a bug bounty program, there is usually a public disclosure and often a technical explanation of the problem to promote news of the fix and to encourage other researchers to take an interest.

In addition, most rewards -- even for the most critical issues -- rarely earn bug bounty hunters such an amount.

You can potentially understand the panic and attempt to hush it up -- especially in light of how much controversy Uber has courted in the past few years -- but with the information of so many users at stake who trust the company, this is a terrible failure and was a huge mistake which may be extremely difficult to recover from.

ZDNet has reached out to Uber and will update if we hear back.