Breach, Data Security, Network Security

Uber CISO to Congress: data breach extortion payment wasn’t a true bug bounty

Testifying before members of Congress on Tuesday, Uber Technologies CISO John Flynn acknowledged that his company acted irresponsibly by waiting a full year before disclosing the breach of a third-party database containing information on 57 million customers and drivers.

Flynn also confirmed that Uber's $100,000 payout to the two attackers who stole the sensitive data was conducted through its bug bounty platform provider HackerOne. However, he assured lawmakers that the extortion payment was a highly atypical transaction for the bug bounty program, which normally rewards only white-hat researchers who ethically and responsibly discover vulnerabilities in Uber's systems and software.

"First, I would like to echo statements made by new leadership, and state publicly that it was wrong not to disclose the breach earlier," stated Flynn in written testimony submitted to the Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security -- a branch of the U.S. Senate Committee on Commerce, Science and Transportation. "The breach should have been disclosed in a timely manner. The company is taking steps to ensure that an incident like this does not happen again, with personnel changes and additional remedial actions."

Current Uber CEO Dara Khosrowshahi revealed the 2016 breach incident on Nov. 22, 2017, roughly three months after taking over the chief executive role from Travis Kalanick, who was ousted following a series of corporate scandals.

In separate, oral testimony, Flynn said that Uber ultimately capitulated to the intruders' financial demands in order to protect its consumers' data. (In turn, the attackers agreed to delete the stolen information.) "However, this was not done consistent with the way our bug bounty program normally operates," he remarked.

"We recognize that the bug bounty program is not an appropriate vehicle for dealing with intruders who seek to extort funds from the company," he also stated in written testimony.

Flynn testified alongside several other panelists at a subcommittee hearing that addressed the advent of bug bounty programs. Opening the hearing, subcommittee chairman Sen. Jerry Moran (R-Kan.) expressed measured concern that bug bounty programs that lack strong policies could be abused as extortion payout mechanisms.

However, he noted that these concerns "should not completely outweigh the overall utility of this innovative crowd-sourced approach that many industry actors have taken to proactively identify chinks in their technological armor to effectively administrator bug bounty programs in other cyber vulnerability disclosure efforts."

Moran's comments reflected a recurring theme during the hearing, in which experts and lawmakers alike attempted to distinguish the differences between legitimate bug bounty payouts and blackmail.

"It's the difference between a security consultant who says about your home: 'You have this vulnerability to force entry' and the criminal who says, 'You have this vulnerability to force entry, and I have your child. Pay me $100,000," said subcommittee ranking member Richard Blumenthal (D-Conn.) "That's ransom; it's a crime."

Luta Security CEO Katie Moussouris, who spearheaded the creation of bug bounty programs at Microsoft and the U.S. Department of Defense, testified at the hearing that large extortion payments damage the security industry by muddying the bug-hunting profession, eroding corporate and government trust in legitimate ethical hackers, and influencing more researchers to focus their talents on bug hunting when help is so desperately needed in secure code development.

"I want to point out that the ecosystem for rewarding bug hunting is skewing the markets toward more bug hunters, but not necessarily more bug fixers. This imbalance that is being created in these markets may very well shift the ecosystem towards rewarding more data theft than bug hunting," said Moussouris in written testimony. "Already, we are facing a global shortage of talent in cybersecurity, and while more legal ways to report bugs is good, the creation of an overall defense workforce is necessary, in the United States and worldwide."

Moussouris strongly recommended that companies with bounty programs place a hard ceiling on their rewards and refuse to negotiate payouts. And based on his own company's mistakes, Flynn recommended that all companies have set policies in place in the event of an extortion demand involving sensitive data.

Justin Brookman, director of privacy and technology policy at the Consumers Union, stated in written testimony that because bug bounties are a relatively new development, "expectations, norms, and best practices are still developing in this area." Therefore, he continued, Acompanies may want to reconsider the circumstances before reporting an incident to authorities, as it may scare off legit researchers from finding other bugs.

Despite widespread agreement that the actions on the part of the Uber hackers were malicious, Brookman had a more ambiguous take on the matter: "At some point, a request for more money may convey an implicit -- or explicit -- threat to sell the exploit or compromised data elsewhere if the demands are not met," wrote Brookman in his testimony. "However, from the publicly reported facts, it is not clear that that happened in this case. In any event, Uber had invited persons... to look for precisely the type of vulnerabilities that [the attackers] found."

Nevertheless, Brookman agreed that Uber had an obligation to disclose its breach sooner -- a sentiment that was commonly expressed at the hearing.

Asked point blank by Moran what Uber's justification was for waiting so long to notify victims of the hack, Flynn responded: "Senator, there's no justification for that. We should have notified our customers at the time when this did occur, and it was a mistake not to do so," adding that a key issue was that "we didn't have the right people in the room making that evaluation and making the right decision and making right by our customers."

During his testimony, Flynn noted that Uber has also taken additional steps to prevent a similar breach in the future, including instituting multifactor authentication protocols, enhancing third-party cloud data storage security, improving authentication and authorization when users attempt access a third-party database, and using auto-expiring credentials.

In his own testimony, HackerOne CEO Marten Mickos defended the bug bounty industry, asserting that an "Internet that enables privacy and protects consumers" is not achievable "without ethical hackers taking an active role in safeguarding our collective security and, that in turn requires a safe legal environment encouraging all individuals to come forward with vulnerability information, no matter the circumstances."

According to Flynn, Uber's bug bounty program through HackerOne has resolved more than 800 vulnerabilities and paid out roughly $1.3 million since it commenced in 2016. "It has achieved very significant improvements for a relatively modest expenditure, including addressing a bug in the SSH authentication system and a remote code execution bug in one of our websites," he said.

"Today's hearing spotlights the ethical considerations around how Uber responded to its recent breach. This was not a bug bounty payout. This was extortion, and the difference between the two is unambiguous. Extortion happens when a company is approached by an attacker that has gained valuable information and demands payment to keep the discovery quiet. Extortion is initiated by the attacker, and the attacker holds the power. Bug bounty programs operate in a controlled environment with secure communication on all ends to facilitate interactions between businesses and the researcher community for safe and effective security testing.


What's more, this hearing calls attention to a much bigger issue about the perception of the hacker community. Years ago, hackers were viewed strictly in a negative light. Over the past five or so years, the industry has progressed in understanding of the white-hat “digital locksmiths” who are here to help, and foster a productive and healthy relationship between the hackers and organizations.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.