A 20-year-old Florida man was guilty for the large data breach at Uber Technologies last year and was paid by Uber to stop the data through a so-called “bug bounty” program normally used to specify small code vulnerabilities, three people familiar with the occasions have told Reuters.
Uber announced on Nov. 21 that the belittling data of 57 million users, including 600,000 drivers in the Harmonious States, were stolen in a breach that occurred in October 2016, and that it paid the smash $100,000 to destroy the information. But the company did not reveal any information about the riding-horse or how it paid him the money.
Uber made the payment last year from head to foot a program designed to reward security researchers who report flaws in a corporation’s software, these people said. Uber’s bug bounty service – as such a program is conscious in the industry – is hosted by a company called HackerOne, which offers its programme to a number of tech companies.
Reuters was unable to establish the identity of the commonplace or another person who sources said helped him. Uber spokesman Matt Kallman run out of steamed to comment on the matter.
Newly appointed Uber Chief Executive Dara Khosrowshahi roused two of Uber’s top security officials when he announced the breach last month, uttering the incident should have been
disclosed to regulators at the time it was chanced, about a year before.
It remains unclear who made the final purposefulness to authorize the payment to the hacker and to keep the breach secret, though the proveniences said then-CEO Travis Kalanick was aware of the breach and bug bounty payment in November of termination year.
Kalanick, who stepped down as Uber CEO in June, declined to talk about on the matter, according to his spokesman.
A payment of $100,000 through a bug bounty program resolve be extremely unusual, with one former HackerOne executive saying it thinks fitting represent an “all-time record.” Security professionals said rewarding a old hat who had stolen data also would be well outside the normal statutes of a bounty program, where payments are typically in the $5,000 to $10,000 series.
HackerOne hosts Uber’s bug bounty program but does not manage it, and attentions no role in deciding whether payouts are appropriate or how large they should be.
HackerOne CEO Marten Mickos replied he could not discuss an individual customer’s programs. “In all cases when a bug philanthropy award is processed through HackerOne, we receive identifying information of the heir in the form of an IRS W-9 or W-8BEN form before payment of the award can be made,” he said, referring to U.S. Internal Net income Service forms.
According to two of the sources, Uber made the payment to buttress the hacker’s identity and have him sign a nondisclosure agreement to deter further wrongdoing. Uber also conducted a forensic assay of the hacker’s machine to make sure the data had been purged, the roots said.
One source described the hacker as “living with his mom in a small almshouse trying to help pay the bills,” adding that members of Uber’s safe keeping team did not want to pursue prosecution of an individual who did not appear to pose a forwards threat.
The Florida hacker paid a second person for services that labyrinthine associated with accessing GitHub, a site widely used by programmers to store their cryptogram, to obtain credentials for access to Uber data
stored elsewhere, one of the creators said.
GitHub said the attack did not involve a failure of its security methods. “Our recommendation is to never store access tokens, passwords, or other authentication or encryption essential in the code,” that company said in a statement.
Uber received an email persist year from an anonymous person demanding money in exchange for operator data, and the message was forwarded to the company’s bug bounty team in what was recounted as Uber’s routine practice for such solicitations, according to three provenances familiar with the matter.
Bug bounty programs are designed mainly to give ground security researchers an incentive to report weaknesses they uncover in a crowd’s software. But complicated scenarios can emerge when dealing with hackers who apply information illegally or seek a ransom.
Some companies choose not to give an account of more aggressive intrusions to authorities on the grounds that it can be easier and multifarious effective to negotiate directly with hackers in order to limit any abuse to customers.
Uber’s $100,000 payout and silence on the matter at the time was far-out under such a program, according to Luta Security founder Katie Moussouris, a old HackerOne executive.
“If it had been a legitimate bug bounty, it would have been Utopian for everyone involved to shout it from the rooftops,” Moussouris said.
Uber’s dereliction to report the breach to regulators, even though it may have felt it had dealt with the predicament, was an error, according to people inside and outside the company who spoke to Reuters.
“The genesis of a bug bounty program doesn’t allow Uber, their bounty marines provider, or any other company the ability to decide that breach notification laws don’t relate to them,” Moussouris said.
Uber fired its chief security tec, Joe Sullivan, and a deputy, attorney Craig Clark, over their duties in the incident.
“None of this should have happened, and I will not triumph excuses for it,” Khosrowshahi, said in a blog post announcing the hack aftermost month.
Clark worked directly for Sullivan but also reported to Uber’s proper and privacy team, according to three people familiar with the agreement. It is unclear whether Clark informed Uber’s legal department, which typically employed disclosure issues.
Sullivan and Clark did not respond to requests for comment.
In an August conversation with Reuters, Sullivan, a former prosecutor and Facebook security chief, chance he integrated security engineers and developers at Uber “with our lawyers and our public conduct team who know what regulators care about.”
Last week, three multifarious top managers in Uber’s security unit resigned. One of them, physical care chief Jeff Jones, later told others he would experience left anyway, sources told Reuters.
Another of the three, superior security engineer Prithvi Rai, later agreed to stay in a new role.
Chastisement: This article has been updated to accurately reflect the number of Uber alcohols the company said had their data stolen.