Florida Man… pockets Uber cash to keep quiet about data breach
That's not how bug bounties work, Travis
A 20-year-old Florida man who lives with his mom was the "security researcher" that Uber paid off last year not to reveal a massive hack of its systems.
In a typically Uber take on network security, the ride-hailing app company paid the man $100,000 in October last year to destroy data he downloaded on 57 million users, including 600,000 drivers, and then pretended the payment was part of a bug bounty program, according to Reuters.
Uber kept quiet about the breach and the details only came to light two weeks ago when new CEO Dara Khosrowshahi learnt about it, fired two of Uber's top security officials, went public with the news and noted that the company should have disclosed the breach to regulators.
In a statement, Khosrowshahi made an unusual comment about what had transpired, noting:
At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.
Digging further into the issue, Uber disguised the payment as a bug bounty – despite paying more than 10 times the typical rate for the discovery of such a bug – and ran the payment through a company called HackerOne, which is used by a number of other tech companies for similar (legit) programs.
Reuters spoke to HackerOne which agreed that a $100,000 was "extremely unusual" and an "all-time record" but noted that it does not manage the program or decide the payouts through the bug bounty programs it hosts.
Its CEO Marten Mickos refused to identify the individual who received the payout but did make it clear that it knows his identity since it requires someone to prove their identity by sending a government tax form before authorizing payment.
Reuters claims to have other sources that revealed that the hacker in question was forced to sign a non-disclosure agreement as part of the deal and to have his machine undergo forensic analysis to ensure that the data has been fully deleted.
One of those sources described the hacker as "living with his mom in a small home trying to help pay the bills." He was identified as a 20-year-old living in Florida, but the sources did not reveal his name and Reuters admits it was unable to confirm his identity.
The decision to pay someone off who had damaging information about the company and then pretend it never happened has become something of a pattern for Uber under its former CEO Travis Kalanick.
Last month, a San Francisco judge halted a trial against Uber in which it is accused of stealing trade secrets from competitors after it emerged at the last minute that a former Uber security team member had resigned and sent a letter to Uber outlining what he suggested was criminal behavior.
Uber responded by paying him $4.5m and his lawyer $3m and then failed to disclose any of the details of the saga to the company suing it – Waymo – despite Waymo being explicitly named in the resignation letter.
As well as the firing of two security officials, a further three managers in Uber's security department have resigned in the past week as new CEO Khosrowshahi clears house.
At this point, you have to imagine that Khosrowshahi dreads every meeting in which a senior staffer tells him "there's something you should know…" ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust