In November, the CEO of Uber revealed that the company has pay the hacker $100,000 to delete data obtained from a 2016 breach in which 57 million Uber customers and drivers’ names, email addresses, and phone numbers were exposed. But the company did not reveal who the hacker was or how the money was paid.
A Reuters news now shed more light on how the company hid its black money – the money was paid out to a previously unknown Florida man by Uber bug bounty program, now managed by HackerOne. How Uber officials confirmed the deletion of the data has not been revealed, and a number of US congressional officials have asked for an investigation into the breach, raising questions about why Uber failed to contact law enforcement.
Uber’s CEO, Dara Khosrowshahi, said in a blog post about the breach that “two people outside the company improperly accessed user data stored on a third-party cloud-based service we used,” and no payment data. that appears. But driver’s license data for about 600,000 Uber drivers was stolen, as was contact data for 57 million customers and drivers. “At the time of the incident,” Khosrowshahi said, “we took immediate steps to secure the data and shut down further unauthorized access by individuals. Then we identified the individuals and obtained assurances that we had destroy the downloaded data. We also implement security measures to restrict access and strengthen controls over our cloud-based storage accounts.”
Khosrowshahi said he had recently learned of the crime and had ordered an internal investigation. Two unidentified members of security at Uber who tackled the breach were fired.
HackerOne’s public statistics on the Uber reward program show that Uber has paid $1,289,595 in rewards over the life of the program so far, including one for a maximum of $10,000 specified by Uber to a UK-based researcher for bugs important. But there are no public payment details for HackerOne profiles up to $100,000 Uber reports to have paid for data destruction or any string of gifts to a person adding up to that amount, so it’s clear the payment isn’t done by the public HackerOne program. A former HackerOne employee told Reuters’ Joseph Menn and Dustin Volz that such a payment would be an “all-time record” payment through a bug bounty program.
Casey Ellis, founder and CTO of the bug bounty management company Bugcrowd, expressed concern about how a company can pass off blackmail as a bug bounty program without raising concerns or alarms. “From an ethical point of view,” said Ellis, “this development is creating confusion and may harm the development of the researcher/vendor relationship—although it is clear that it is a silent payment, not a true Bug Bounty payout .”
A HackerOne spokesperson told Ars that the company has no comment on the matter. Uber also did not comment on the Reuters story. But using a bug bounty in this way wouldn’t be the first of Uber’s questionable ethical (and in some cases legally questionable) technical shenanigans, including creating fake user accounts on competitor Lyft’s system to help drivers mine and pricing data in an attempt to identify which drivers work for both Uber and Lyft.