A 20-year-old Florida man was chargeable for the big information breach at Uber Applied sciences final 12 months and was paid by Uber to destroy the information by way of a so-called “bug bounty” program usually used to establish small code vulnerabilities, three individuals accustomed to the occasions have advised Reuters.
Uber introduced on Nov. 21 that the private information of 57 million customers, together with 600,000 drivers in the USA, have been stolen in a breach that occurred in October 2016, and that it paid the hacker $100,000 to destroy the knowledge. However the firm didn’t reveal any details about the hacker or the way it paid him the cash.
Uber made the fee final 12 months by way of a program designed to reward safety researchers who report flaws in an organization’s software program, these individuals stated. Uber’s bug bounty service – as such a program is understood within the trade – is hosted by an organization known as HackerOne, which affords its platform to various tech corporations.
Reuters was unable to determine the id of the hacker or one other one that sources stated helped him. Uber spokesman Matt Kallman declined to touch upon the matter.
Newly appointed Uber Chief Government Dara Khosrowshahi fired two of Uber’s prime safety officers when he introduced the breach final month, saying the incident ought to have beendisclosed to regulators on the time it was found, a few 12 months earlier than.
It stays unclear who made the ultimate determination to authorize the fee to the hacker and to maintain the breach secret, although the sources stated then-CEO Travis Kalanick was conscious of the breach and bug bounty fee in November of final 12 months.
Kalanick, who stepped down as Uber CEO in June, declined to touch upon the matter, in line with his spokesman.
A fee of $100,000 by way of a bug bounty program could be extraordinarily uncommon, with one former HackerOne government saying it will symbolize an “all-time report.” Safety professionals stated rewarding a hacker who had stolen information additionally could be properly exterior the traditional guidelines of a bounty program, the place funds are usually within the $5,000 to $10,000 vary.
HackerOne hosts Uber’s bug bounty program however doesn’t handle it, and performs no function in deciding whether or not payouts are applicable or how massive they need to be.
HackerOne CEO Marten Mickos stated he couldn’t talk about a person buyer’s applications. “In all instances when a bug bounty award is processed by way of HackerOne, we obtain figuring out info of the recipient within the type of an IRS W-9 or W-8BEN kind earlier than fee of the award will be made,” he stated, referring to U.S. Inner Income Service kinds.
In keeping with two of the sources, Uber made the fee to verify the hacker’s id and have him signal a nondisclosure settlement to discourage additional wrongdoing. Uber additionally performed a forensic evaluation of the hacker’s machine to ensure the information had been purged, the sources stated.
One supply described the hacker as “residing together with his mother in a small dwelling making an attempt to assist pay the payments,” including that members of Uber’s safety workforce didn’t need to pursue prosecution of a person who didn’t seem to pose an additional risk.
The Florida hacker paid a second individual for providers that concerned accessing GitHub, a website broadly utilized by programmers to retailer their code, to acquire credentials for entry to Uber datastored elsewhere, one of many sources stated.
GitHub stated the assault didn’t contain a failure of its safety techniques. “Our advice is to by no means retailer entry tokens, passwords, or different authentication or encryption keys within the code,” that firm stated in a press release.