Slashdot Mirror

← Back to Stories (view on slashdot.org)

Uber Paid 20-year-old Florida Man To Keep Data Breach Secret (reuters.com)

Posted by msmash on from the closer-look dept.

A 20-year-old Florida man was responsible for the large data breach at Uber last year and he was paid by the company to destroy the data through a so-called "bug bounty" program, three people familiar with the events have told Reuters. From the report: Uber announced on Nov. 21 that the personal data of 57 million users, including 600,000 drivers in the United States, were stolen in a breach that occurred in October 2016, and that it paid the hacker $100,000 to destroy the information. But the company did not reveal any information about the hacker or how it paid him the money. Uber made the payment last year through a program designed to reward security researchers who report flaws in a company's software, these people said. Uber's bug bounty service -- as such a program is known in the industry -- is hosted by a company called HackerOne, which offers its platform to a number of tech companies.

3 of 27 comments (clear)

  1. Re:Doesn't sound like they got their money's worth by geekmux · · Score: 5, Insightful

    Considering we're now talking about the breach they paid to keep secret.

    The revenue generated from operating for months without the public knowing about a breach likely made it worth it.

    If unethical behavior is proven to be profitable in the face of pathetic slap-on-the-wrist fines, then unethical behavior will be the default behavior. This is the reason we're seeing such a dismantling of ethics in large business today. When doing the wrong thing is worth it, don't expect people to do the right thing.

  2. Re:Breach? by Anonymous Coward · · Score: 2, Insightful

    If this guy was the only one who accessed the data, and he did so under a bug bounty program for which he got paid (and presumably signed an nda) then it's not really a breach at all?

    The data was basically accessed by a paid contractor who's under NDA, business as usual and happens all the time.

    Well, this does look a bit like a gray area based on the sequence of events. He wasn't under specific contract before the hack... unless of course there is something in the bug bounty program that covers this under a ToS and he was working under that ToS. It really depends on facts not being reported... like whether the hacker actually demanded payment before destroying the company data or if destroying any company data was merely a clause in the contract for the bug bounty program.

  3. Re:Doesn't sound like they got their money's worth by klingens · · Score: 5, Insightful

    No it was simple extortion in a way the parties involved can claim it isn't extortion.

    Uber has a bug bounty program.
    Guy hacks Uber and steals customer's data.
    Uber then pays the guy to destroy data instead of selling it on some black market.
    So that Uber isn't seen as paying ransom, they pay a bug bounty instead. Also the money being declared "bug bounty" clears the guy of being an extortionist or hacker, so the guy is in the clear regarding the CFAA (Computer Fraud and Abuse Act) and the unlawful hacking is retroactively legitimized.