Uber paid hacker $100G to keep data breach past year a secret

Adjust Comment Print

Reuters claims that the person responsible for the hack on Uber, in which more than 57 million client and driver records were stolen, is a 20-year old man from Florida "living with his mom [sic] in a small home trying to help pay the bills", according to sources. The pilfered data included personal information such as names, email addresses and driver's license numbers, but not Social Security numbers and credit card information, the company said.

This is a bit unusual, as such bug bounty schemes are used to reward white hat hackers for discovering software vulnerabilities, and often the companies hosting them will trumpet the success and number of payouts they've made as an example of how strong and stable their code has become.

Sources told Reuters that then-CEO Travis Kalanick was aware of the breach and "bug bounty" payment in November of previous year.


The name of the hacker was "unavailable" from "three sources close to the events" that disclosed the other information, reports the Express. Sources familiar with the hack have told Reuters that the payment was made through a program created to reward bug hunters who report flaws. A former executive at the firm, Katie Moussouris, said that such a high payment would have been an "all-time record".

Uber spokesman Matt Kallman declined to comment to Reuters.

Last month, Uber CEO Dara Khosrowshahi confirmed the breach, saying that "we have to be honest and transparent as we work to fix our past mistakes".


Under the terms of the deal, the unnamed man had to sign a nondisclosure agreement, agree not to compromise Uber again, and the company also conducted a forensic examination of his machine to make sure the data had been purged. Uber's bug bounty service is hosted by HackerOne, a company that connects security researchers with companies.

Reuters' sources said that ex-CEO Travis Kalanick was aware of both the breach and payment when he led the company.

At the time of the incident, Uber approached the two hackers and "obtained assurances that the downloaded data had been destroyed", and upped the security of the third party cloud-based storage account they had accessed, he added.


Remember the unidentified man that was paid $100,000 to delete Uber's stolen data?

Comments