Slashdot Mirror

← Back to Stories (view on slashdot.org)

Uber Paid 20-year-old Florida Man To Keep Data Breach Secret (reuters.com)

Posted by msmash on from the closer-look dept.

A 20-year-old Florida man was responsible for the large data breach at Uber last year and he was paid by the company to destroy the data through a so-called "bug bounty" program, three people familiar with the events have told Reuters. From the report: Uber announced on Nov. 21 that the personal data of 57 million users, including 600,000 drivers in the United States, were stolen in a breach that occurred in October 2016, and that it paid the hacker $100,000 to destroy the information. But the company did not reveal any information about the hacker or how it paid him the money. Uber made the payment last year through a program designed to reward security researchers who report flaws in a company's software, these people said. Uber's bug bounty service -- as such a program is known in the industry -- is hosted by a company called HackerOne, which offers its platform to a number of tech companies.

22 of 27 comments (clear)

  1. Doesn't sound like they got their money's worth by JoeyRox · · Score: 1

    Considering we're now talking about the breach they paid to keep secret.

    1. Re:Doesn't sound like they got their money's worth by geekmux · · Score: 5, Insightful

      Considering we're now talking about the breach they paid to keep secret.

      The revenue generated from operating for months without the public knowing about a breach likely made it worth it.

      If unethical behavior is proven to be profitable in the face of pathetic slap-on-the-wrist fines, then unethical behavior will be the default behavior. This is the reason we're seeing such a dismantling of ethics in large business today. When doing the wrong thing is worth it, don't expect people to do the right thing.

    2. Re:Doesn't sound like they got their money's worth by klingens · · Score: 5, Insightful

      No it was simple extortion in a way the parties involved can claim it isn't extortion.

      Uber has a bug bounty program.
      Guy hacks Uber and steals customer's data.
      Uber then pays the guy to destroy data instead of selling it on some black market.
      So that Uber isn't seen as paying ransom, they pay a bug bounty instead. Also the money being declared "bug bounty" clears the guy of being an extortionist or hacker, so the guy is in the clear regarding the CFAA (Computer Fraud and Abuse Act) and the unlawful hacking is retroactively legitimized.

    3. Re:Doesn't sound like they got their money's worth by geekmux · · Score: 2

      No it was simple extortion in a way the parties involved can claim it isn't extortion.

      Uber has a bug bounty program. Guy hacks Uber and steals customer's data. Uber then pays the guy to destroy data instead of selling it on some black market. So that Uber isn't seen as paying ransom, they pay a bug bounty instead. Also the money being declared "bug bounty" clears the guy of being an extortionist or hacker, so the guy is in the clear regarding the CFAA (Computer Fraud and Abuse Act) and the unlawful hacking is retroactively legitimized.

      Other than a lack of an upfront NDA, there is very little difference between this scenario and a security consultant being hired for red team testing. In both cases, a company has agreed to pay an amount of money to someone for finding their vulnerabilities. When a company is willing to pay, it's not extortion.

      If corporations still feel that bug bounty payouts are "extortion", then get rid of the program and take your chances with the FBI. It's that simple.

    4. Re:Doesn't sound like they got their money's worth by swillden · · Score: 1

      Other than a lack of an upfront NDA, there is very little difference between this scenario and a security consultant being hired for red team testing.

      Bug bounties aren't typically done under any sort of upfront NDA either. So I think the only real difference between this and business as usual is that Florida Man downloaded a bunch of company data. Normal ethical hackers would find the vulnerability and then report it without using it. At most they might do a small test to verify that it is exploitable the way they think it is, but they wouldn't proceed to access data they should not have.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    5. Re:Doesn't sound like they got their money's worth by geekmux · · Score: 1

      Other than a lack of an upfront NDA, there is very little difference between this scenario and a security consultant being hired for red team testing.

      Bug bounties aren't typically done under any sort of upfront NDA either.

      Either? When I spoke of the lack of an NDA, I was specifically referring to one party here; the bug bounty hacker. I certainly hope an organization wouldn't be stupid enough to contract a security consultant for pen test/red team work without an NDA in place every time.

      So I think the only real difference between this and business as usual is that Florida Man downloaded a bunch of company data. Normal ethical hackers would find the vulnerability and then report it without using it. At most they might do a small test to verify that it is exploitable the way they think it is, but they wouldn't proceed to access data they should not have.

      Perhaps the test result data set was a bit larger than the average, but "small test" can be completely subjective. And to be honest, if I were being proactive about this and hiring a security consultant, I probably wouldn't tell them to hold back. I'd want to know exactly how much data they can exfiltrate and how long it took, in order to not only bolster defenses, but tweak systems to be able to better detect exfiltration activity.

    6. Re:Doesn't sound like they got their money's worth by klingens · · Score: 1

      In a bug bounty you show the company the bug and they pay you. Done.
      You do not download millions of customer datasets first. At most you download one or a few as a PoC, preferably your own actually. Not Millions! Somewhere between 1 and 57 million, it goes from PoC to outright criminal theft.

  2. Breach? by Bert64 · · Score: 3, Informative

    If this guy was the only one who accessed the data, and he did so under a bug bounty program for which he got paid (and presumably signed an nda) then it's not really a breach at all?

    The data was basically accessed by a paid contractor who's under NDA, business as usual and happens all the time.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    1. Re:Breach? by Anonymous Coward · · Score: 2, Insightful

      If this guy was the only one who accessed the data, and he did so under a bug bounty program for which he got paid (and presumably signed an nda) then it's not really a breach at all?

      The data was basically accessed by a paid contractor who's under NDA, business as usual and happens all the time.

      Well, this does look a bit like a gray area based on the sequence of events. He wasn't under specific contract before the hack... unless of course there is something in the bug bounty program that covers this under a ToS and he was working under that ToS. It really depends on facts not being reported... like whether the hacker actually demanded payment before destroying the company data or if destroying any company data was merely a clause in the contract for the bug bounty program.

    2. Re:Breach? by Anonymous Coward · · Score: 1

      Except a paid contractor will delete the data or be sued to death.

      "Florida Man" likely did not delete the data, and put it into cold storage.

    3. Re:Breach? by BlueCoder · · Score: 2

      I was about to say the same thing. Unless there was a clear threat to release or sell the "information" (not the hack) to other parties this was ethical hacking. If he did the hack and hadn't come forward until tracked down then it would be another matter.

      I think the writing is on the wall that all ethical hackers need to be represented by lawyers and one or more companies that specialize in this sort of thing and that can keep their names clear. It's not extortion. It's grey just like if you do a private adoption through a lawyer it's not considered selling a baby....

      It's the companies that insist on things like NDA's.

  3. Sounds like they paid a ransom that went sideways. by Last_Available_Usern · · Score: 2

    Seems like they used a rather legit way of paying a ransom to get him to sweep it under the rug. At least, that's how it appears to me.

  4. Florida Man has many talents by Ayano · · Score: 2

    Sorry, I couldn't resist.

    --
    I don't read AC
  5. Delete the Hacker. by Anonymous Coward · · Score: 1

    A Hit Man is probably about $25k

     

  6. Re: Why Is Age Relevant? by OzPeter · · Score: 2

    You mean now there's even hated between age groups?

    With ignorance like that I'd peg you as being one of those ignorant and self absorbed millennials.

    --
    I am Slashdot. Are you Slashdot as well?
  7. bitcoin? by Anonymous Coward · · Score: 1

    it paid the hacker $100,000 to destroy the information. But the company did not reveal any information about the hacker or how it paid him the money

    I hope they paid the hacker in bitcoin. He would be a very happy camper right now.

    Captcha: audits

  8. Re: Why Is Age Relevant? by shaitand · · Score: 2

    How do you sell conquest and murder? Call it liberation and spreading freedom.
    How do you buck a powerful system implementing policies contrary to your profit interests and replace it with one where you have more power to shape policies to increase your profit? Call it tyrannical and get people to commit suicide and murder to "free" themselves of that "oppression".
    How do you get people to support one group systematically getting the better end of the stick in trade? Call everything that results in your side of trade losing as fraud, theft, etc and make the wins for your side of the stick industry practices, interest, fees, etc.
    How do you get people to embrace racism? Define a racial group as racist.
    How do you get people to hate someone? Define a "them" and define anything "they" do that is in "their" interest and contrary to "our" interest as hate. Everything contrary or negative thing any of "them" do is proof of how bad "they" are and everything inconsistent is an anecdotal individual exception that doesn't apply meaningfully to "them" as a whole. It is okay to hate "them" because turnabout is fair play and they have no moral high ground from which to complain.

  9. Bug bounty program works. by roc97007 · · Score: 1

    News at 11.

    --
    Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
  10. Re:Why Is Age Relevant? by irving47 · · Score: 1

    It could be argued that it's part of the "who"... Especially if they can't identify the person by name.

    --
    I had a sucky sig.
  11. Re:Why Is Age Relevant? by SeaFox · · Score: 1

    Why do these stories treat age as a relevant thing to the topic on hand?

    Probably to make some commentary on how poor Uber's security was. They're pointing out some random young guy was able to do it (as opposed to a "mature security researcher with decades of experience").

  12. Re: Doesn't sound like they got their money's wort by Wycliffe · · Score: 2

    If a security researcher found a bug and refused to disclose it without being paid, I would probably not consider this extortion even if they downloaded all the records.
    I also wouldn't consider it extortion if they threatened to disclose the bug or even sell the bug.
    Where it crosses the line is if they threaten to sell or give away those records if they don't get paid.

  13. Lesson learned by Brockmire · · Score: 1

    The first day of my first job out of college, the CEO said to me, "how do you get a tire through an embargo? Tie a rope around it and call it a swing". I treat that as the first sign he was a fraud to stay away from.