Reuters is exclusively reporting that Uber bought the silence of a 20-year old man from Florida in respect to the large data breach that affected its company last year. The young man according to Reuters, was responsible for the data breach, but was paid by Uber to destroy the data through the company’s “bug bounty” program.
Citing people familiar with the story, Reuters reports that the payment was made in 2016 through a program designed to reward security researchers who report flaws in a company’s software.
Two of the sources cited by Reuters, said the company made the payment to confirm the identity of the hacker and have him sign a nondisclosure agreement to discourage further wrongdoing. To further confirm and be sure that the data had been purged, Uber conducted a forensic analysis of the hacker’s machine, the sources said.
The normal rules for a bounty program is to pay an amount in the region of between $5,000 and $10,000. Uber’s payment of $100,000 to the 20-year old man who reportedly lives with his mom was something out of the ordinary.
Uber’s bounty program is hosted by a company called HackerOne—and is also responsible for offering similar service to several tech companies. HackerOne, however, is only responsible for hosting Uber’s bounty program, but not responsible for managing it. That means the company does not determine the amount that being is paid out in terms of bounty.
The October 2016 data breach was not the first time Uber was having a security breach. In 2015, Uber announced that a hack carried out on its database a year before may have exposed the information of 50,000 drivers. The ride-hailing service said one of its databases may have been hacked in May of 2014. This the company notes may have put up to 50,000 former and current drivers’ data including driver’s license at risk.
A statement on the company’s blog explained how that breach happened and the effort it put in place to ensure such issues never occur again:
“In late 2014, we identified a one-time access of an Uber database by an unauthorized third party. A small percentage of current and former Uber driver partner names and driver’s license numbers were contained in the database. Immediately upon discovery we changed the access protocols for the database, removing the possibility of unauthorized access.”
Uber believed that the data breach could have been linked to an incident, which happened on May 13, 2014. The said database held information including names and driver’s license numbers of thousands of drivers in various states. The company blamed the breach on “unauthorized third party,” but didn’t how Uber was able to uncover it.
The company also announced that it had since changed access to the database to put an end to any further leak the moment it discovered there was a vulnerability issue with its database. It further stated that the company was in the process of getting affected drivers informed of the issue, and offered them a free year membership to credit-monitoring company Experian.