Florida Man… pockets Uber cash to keep quiet about data breach

That's not how bug bounties work, Travis

By Kieren McCarthy in San Francisco

Posted in Business, 7th December 2017 19:31 GMT

A 20-year-old Florida man who lives with his mom was the "security researcher" that Uber paid off last year not to reveal a massive hack of its systems.

In a typically Uber take on network security, the ride-hailing app company paid the man $100,000 in October last year to destroy data he downloaded on 57 million users, including 600,000 drivers, and then pretended the payment was part of a bug bounty program, according to Reuters.

Uber kept quiet about the breach and the details only came to light two weeks ago when new CEO Dara Khosrowshahi learnt about it, fired two of Uber's top security officials, went public with the news and noted that the company should have disclosed the breach to regulators.

In a statement, Khosrowshahi made an unusual comment about what had transpired, noting:

At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.

Digging further into the issue, Uber disguised the payment as a bug bounty – despite paying more than 10 times the typical rate for the discovery of such a bug – and ran the payment through a company called HackerOne, which is used by a number of other tech companies for similar (legit) programs.

Reuters spoke to HackerOne which agreed that a $100,000 was "extremely unusual" and an "all-time record" but noted that it does not manage the program or decide the payouts through the bug bounty programs it hosts.

Its CEO Marten Mickos refused to identify the individual who received the payout but did make it clear that it knows his identity since it requires someone to prove their identity by sending a government tax form before authorizing payment.

Disclosure? Non.

Reuters claims to have other sources that revealed that the hacker in question was forced to sign a non-disclosure agreement as part of the deal and to have his machine undergo forensic analysis to ensure that the data has been fully deleted.

One of those sources described the hacker as "living with his mom in a small home trying to help pay the bills." He was identified as a 20-year-old living in Florida, but the sources did not reveal his name and Reuters admits it was unable to confirm his identity.

The decision to pay someone off who had damaging information about the company and then pretend it never happened has become something of a pattern for Uber under its former CEO Travis Kalanick.

Last month, a San Francisco judge halted a trial against Uber in which it is accused of stealing trade secrets from competitors after it emerged at the last minute that a former Uber security team member had resigned and sent a letter to Uber outlining what he suggested was criminal behavior.

Uber responded by paying him $4.5m and his lawyer $3m and then failed to disclose any of the details of the saga to the company suing it – Waymo – despite Waymo being explicitly named in the resignation letter.

As well as the firing of two security officials, a further three managers in Uber's security department have resigned in the past week as new CEO Khosrowshahi clears house.

At this point, you have to imagine that Khosrowshahi dreads every meeting in which a senior staffer tells him "there's something you should know…" ®

Sign up to our NewsletterGet IT in your inbox daily

14 Comments

More from The Register

Uber sued by Uber for tarnishing the good name of Uber

Can't we all just be Uber-alles?

Uber hid database hack from FTC while FTC probed Uber for an earlier database hack

Cab-hailing upstart shows it takes your privacy seriously

Uber JUMPs, slurps San Francisco bike biz

Nobody believes we're not a taxi company, let's go multi-modal and see if that works

Uber v Waymo latest: Google spinoff refused access to Uber internal doc hunt details

Wall of silence remains, albeit with a couple of holes

Will Dell eat VMware? Or will Carl Icahn snack on Dell? And where does Uber fit in? Yes, Uber!

Let’s get up to date on the crazy world of reverse mergers

Pennsylvania AG sues Uber over 2016 data fail

Not much brotherly love in this Philly court case

Uber drivers game Uber's system like Uber games the entire planet

App cabbies push back against controlling black-box computers

Birmingham UK to Uber: Want a new licence? Tell us about your operating model

App biz's Nice Guy makeover yet to convince all regulators

Fetch calls Uber's bluff: See you in court, bros!

Battle over dodgy click claims heats up

Nope, you're still a transport biz, top EU court tells Uber

Updated France et al can ban illegal taxi services without having to give Brussels a prior legislative heads-up