The hacker that Uber compensated to destroy data and keep a hack that exposed the personal data of 57 million drivers and passengers a secret is a 20-year-old Florida man that the ride share company paid $100,000 to through its bug bounty program.
Citing three anonymous sources, Reuters reported that Uber funneled payment through the program – intended to encourage security researchers to find and disclose vulnerabilities – which is hosted by HackerOne.
Uber, which was already in hot water with regulators for a 2014 breach, “was under a legal obligation to notify regulators and to the impacted users and drivers,” Corey Williams, senior director of products and marketing at Centrify, said when news of the most recent breach broke in November. “Instead they took extreme measures to hide the hack, paying $100k to the hackers to remain quiet and actively took steps to keep the truth under wraps.”
Former CEO Travis Kalanick, who stepped down after the hack was revealed, reportedly knew of the incident and payout. Reuters’ sources said the company paid up so it could identify the hacker and commit him to a nondisclosure agreement to prevent future transgressions.
A single payment of $100,000 would have attracted attention, the report said, noting that a HackerOne spokesperson said “in all cases when a bug bounty award is processed through HackerOne, we receive identifying information of the recipient in the form of an IRS W-9 or W-8BEN form before payment of the award can be made.”
The report also cited former HackerOne Chief Policy Officer (CPO) Katie Moussouris, founder of Luta Security, as saying “if it had been a legitimate bug bounty, it would have been ideal for everyone involved to shout it from the rooftops,” and noting, “The creation of a bug bounty program doesn’t allow Uber, their bounty service provider, or any other company the ability to decide that breach notification laws don’t apply to them.”