Florida Man… pockets Uber cash to keep quiet about data breach

That's not how bug bounties work, Travis

By Kieren McCarthy in San Francisco


A 20-year-old Florida man who lives with his mom was the "security researcher" that Uber paid off last year not to reveal a massive hack of its systems.

In a typically Uber take on network security, the ride-hailing app company paid the man $100,000 in October last year to destroy data he downloaded on 57 million users, including 600,000 drivers, and then pretended the payment was part of a bug bounty program, according to Reuters.

Uber kept quiet about the breach and the details only came to light two weeks ago when new CEO Dara Khosrowshahi learnt about it, fired two of Uber's top security officials, went public with the news and noted that the company should have disclosed the breach to regulators.

In a statement, Khosrowshahi made an unusual comment about what had transpired, noting:

At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.

Digging further into the issue, Uber disguised the payment as a bug bounty – despite paying more than 10 times the typical rate for the discovery of such a bug – and ran the payment through a company called HackerOne, which is used by a number of other tech companies for similar (legit) programs.

Reuters spoke to HackerOne which agreed that a $100,000 was "extremely unusual" and an "all-time record" but noted that it does not manage the program or decide the payouts through the bug bounty programs it hosts.

Its CEO Marten Mickos refused to identify the individual who received the payout but did make it clear that it knows his identity since it requires someone to prove their identity by sending a government tax form before authorizing payment.

Disclosure? Non.

Reuters claims to have other sources that revealed that the hacker in question was forced to sign a non-disclosure agreement as part of the deal and to have his machine undergo forensic analysis to ensure that the data has been fully deleted.

One of those sources described the hacker as "living with his mom in a small home trying to help pay the bills." He was identified as a 20-year-old living in Florida, but the sources did not reveal his name and Reuters admits it was unable to confirm his identity.

The decision to pay someone off who had damaging information about the company and then pretend it never happened has become something of a pattern for Uber under its former CEO Travis Kalanick.

Last month, a San Francisco judge halted a trial against Uber in which it is accused of stealing trade secrets from competitors after it emerged at the last minute that a former Uber security team member had resigned and sent a letter to Uber outlining what he suggested was criminal behavior.

Uber responded by paying him $4.5m and his lawyer $3m and then failed to disclose any of the details of the saga to the company suing it – Waymo – despite Waymo being explicitly named in the resignation letter.

As well as the firing of two security officials, a further three managers in Uber's security department have resigned in the past week as new CEO Khosrowshahi clears house.

At this point, you have to imagine that Khosrowshahi dreads every meeting in which a senior staffer tells him "there's something you should know…" ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Uber sued by Uber for tarnishing the good name of Uber

Can't we all just be Uber-alles?

France next up behind Britain, Netherlands to pummel Uber with €400k fine over 2016 breach

Dara and pals told to hand over yet another cash wodge for hack it spent $100k covering up

Uber fined £385k by ICO for THAT hack of 57m customers' deets

Updated 2.7 million Brits caught up in 'serious failure of data security' says UK data watchdog

Uber 'does not exist any more' says Turkish president

Authorities start rounding up ride share drivers, passengers

Sidecar drags itself out the grave, sues Uber for putting it there

Cab hailing app accuses rival of predatory prices and fake bookings

Until now, if Canadian Uber drivers wanted to battle the tech giant, they had to do it in the Netherlands – for real

Yes, taxi app biz has managed the impossible – angering the good folks of Canada

Uber to dole out $148m settlement among US states over breach it paid $100k to bury

Nice. Ride-hailing app firm also vows to comply with law

Uber v Waymo latest: Google spinoff refused access to Uber internal doc hunt details

Wall of silence remains, albeit with a couple of holes

Uber hid database hack from FTC while FTC probed Uber for an earlier database hack

Cab-hailing upstart shows it takes your privacy seriously

Uber JUMPs, slurps San Francisco bike biz

Nobody believes we're not a taxi company, let's go multi-modal and see if that works