Uber paid $100,000 to a 20-year-old Florida man responsible for the recently disclosed data breach that compromised the personal information of 57 million riders and drivers in 2016, multiple sources told Reuters.
Three people familiar with the incident said an unidentified Florida man contacted Uber after breaching a server in October and stealing information including the names and email addresses of ride-share users in the U.S. and abroad, Reuters reported Wednesday.
The culprit’s message was forwarded to Uber’s “bug bounty” team and ultimately made its way to HackerOne, a third-party company that awards researchers for revealing security flaws in clients’ products.
HackerOne subsequently paid the person $100,000 in exchange for erasing the stole Uber data, the sources told Reuters.
Uber announced Nov. 21 that hackers breached a third-party server last year and stole the names and email addresses of 57 million users, among other personal information.
“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals,” Uber CEO Dara Khosrowshahi said in the announcement. “We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”
Mr. Khosrowshahi learned of the incident after becoming Uber’s chief executive in August, and he’s since terminated two employees implicated in its response,Joe Sullivan, Uber’s former head of security, and a deputy, attorney Craig Clark.
Another three members of Uber’s security subsequently resigned from their roles last week.
Reuters didn’t identify the Florida hacker by name, but a source described him as “living with his mom in a small home trying to help pay the bills.”
Uber declined to pursue criminal charges after determining that the person didn’t pose an additional threat and eventually paid the hacker after confirming their identity and making them sign a nondisclosure agreement, Reuters reported.
“In all cases when a bug bounty award is processed through HackerOne, we receive identifying information of the recipient in the form of an IRS W-9 or W-8BEN form before payment of the award can be made,” HackerOne CEO Marten Mickos told Reuters.
Uber spokesman Matt Kallman declined to comment, the report said.
Uber has come under fire since disclosing the data breach last month more than a year after the fact, and the incident is currently being reviewed by state and federal regulators in the U.S. and abroad.
Sen. Bill Nelson, Florida Democrat, cited Uber’s delayed admission while reintroducing legislation last week that carries prison time for corporate executives caught deliberately concealing data breaches such as the October 2016 incident.
“We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers,” Mr. Nelson said in a statement. “Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what’s best for consumers, the choice is clear.”
• Andrew Blake can be reached at ablake@washingtontimes.com.
Please read our comment policy before commenting.