Uber Paid 20-year-old Florida Man To Keep Data Breach Secret (reuters.com)

← Back to Stories (view on slashdot.org)

Uber Paid 20-year-old Florida Man To Keep Data Breach Secret (reuters.com)

Posted by msmash on Thursday December 7, 2017 @03:20AM from the closer-look dept.

A 20-year-old Florida man was responsible for the large data breach at Uber last year and he was paid by the company to destroy the data through a so-called "bug bounty" program, three people familiar with the events have told Reuters. From the report: Uber announced on Nov. 21 that the personal data of 57 million users, including 600,000 drivers in the United States, were stolen in a breach that occurred in October 2016, and that it paid the hacker $100,000 to destroy the information. But the company did not reveal any information about the hacker or how it paid him the money. Uber made the payment last year through a program designed to reward security researchers who report flaws in a company's software, these people said. Uber's bug bounty service -- as such a program is known in the industry -- is hosted by a company called HackerOne, which offers its platform to a number of tech companies.

11 of 27 comments (clear)

Min score:

Reason:

Sort:

Breach? by Bert64 · 2017-12-07 03:27 · Score: 3, Informative

If this guy was the only one who accessed the data, and he did so under a bug bounty program for which he got paid (and presumably signed an nda) then it's not really a breach at all?
The data was basically accessed by a paid contractor who's under NDA, business as usual and happens all the time.

--
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
1. Re:Breach? by Anonymous Coward · 2017-12-07 03:48 · Score: 2, Insightful
  
  If this guy was the only one who accessed the data, and he did so under a bug bounty program for which he got paid (and presumably signed an nda) then it's not really a breach at all?
  The data was basically accessed by a paid contractor who's under NDA, business as usual and happens all the time.
  Well, this does look a bit like a gray area based on the sequence of events. He wasn't under specific contract before the hack... unless of course there is something in the bug bounty program that covers this under a ToS and he was working under that ToS. It really depends on facts not being reported... like whether the hacker actually demanded payment before destroying the company data or if destroying any company data was merely a clause in the contract for the bug bounty program.
2. Re:Breach? by BlueCoder · 2017-12-07 07:42 · Score: 2
  
  I was about to say the same thing. Unless there was a clear threat to release or sell the "information" (not the hack) to other parties this was ethical hacking. If he did the hack and hadn't come forward until tracked down then it would be another matter.
  I think the writing is on the wall that all ethical hackers need to be represented by lawyers and one or more companies that specialize in this sort of thing and that can keep their names clear. It's not extortion. It's grey just like if you do a private adoption through a lawyer it's not considered selling a baby....
  It's the companies that insist on things like NDA's.
Re:Doesn't sound like they got their money's worth by geekmux · 2017-12-07 03:32 · Score: 5, Insightful

Considering we're now talking about the breach they paid to keep secret.
The revenue generated from operating for months without the public knowing about a breach likely made it worth it.
If unethical behavior is proven to be profitable in the face of pathetic slap-on-the-wrist fines, then unethical behavior will be the default behavior. This is the reason we're seeing such a dismantling of ethics in large business today. When doing the wrong thing is worth it, don't expect people to do the right thing.
Sounds like they paid a ransom that went sideways. by Last_Available_Usern · 2017-12-07 03:38 · Score: 2

Seems like they used a rather legit way of paying a ransom to get him to sweep it under the rug. At least, that's how it appears to me.
Florida Man has many talents by Ayano · 2017-12-07 03:38 · Score: 2

Sorry, I couldn't resist.

--
I don't read AC
Re: Why Is Age Relevant? by OzPeter · 2017-12-07 04:44 · Score: 2

You mean now there's even hated between age groups?
With ignorance like that I'd peg you as being one of those ignorant and self absorbed millennials.

--
I am Slashdot. Are you Slashdot as well?
Re:Doesn't sound like they got their money's worth by klingens · 2017-12-07 04:47 · Score: 5, Insightful

No it was simple extortion in a way the parties involved can claim it isn't extortion.
Uber has a bug bounty program.
Guy hacks Uber and steals customer's data.
Uber then pays the guy to destroy data instead of selling it on some black market.
So that Uber isn't seen as paying ransom, they pay a bug bounty instead. Also the money being declared "bug bounty" clears the guy of being an extortionist or hacker, so the guy is in the clear regarding the CFAA (Computer Fraud and Abuse Act) and the unlawful hacking is retroactively legitimized.
Re:Doesn't sound like they got their money's worth by geekmux · 2017-12-07 06:25 · Score: 2

No it was simple extortion in a way the parties involved can claim it isn't extortion.
Uber has a bug bounty program. Guy hacks Uber and steals customer's data. Uber then pays the guy to destroy data instead of selling it on some black market. So that Uber isn't seen as paying ransom, they pay a bug bounty instead. Also the money being declared "bug bounty" clears the guy of being an extortionist or hacker, so the guy is in the clear regarding the CFAA (Computer Fraud and Abuse Act) and the unlawful hacking is retroactively legitimized.
Other than a lack of an upfront NDA, there is very little difference between this scenario and a security consultant being hired for red team testing. In both cases, a company has agreed to pay an amount of money to someone for finding their vulnerabilities. When a company is willing to pay, it's not extortion.
If corporations still feel that bug bounty payouts are "extortion", then get rid of the program and take your chances with the FBI. It's that simple.
Re: Why Is Age Relevant? by shaitand · 2017-12-07 07:07 · Score: 2

How do you sell conquest and murder? Call it liberation and spreading freedom.
How do you buck a powerful system implementing policies contrary to your profit interests and replace it with one where you have more power to shape policies to increase your profit? Call it tyrannical and get people to commit suicide and murder to "free" themselves of that "oppression".
How do you get people to support one group systematically getting the better end of the stick in trade? Call everything that results in your side of trade losing as fraud, theft, etc and make the wins for your side of the stick industry practices, interest, fees, etc.
How do you get people to embrace racism? Define a racial group as racist.
How do you get people to hate someone? Define a "them" and define anything "they" do that is in "their" interest and contrary to "our" interest as hate. Everything contrary or negative thing any of "them" do is proof of how bad "they" are and everything inconsistent is an anecdotal individual exception that doesn't apply meaningfully to "them" as a whole. It is okay to hate "them" because turnabout is fair play and they have no moral high ground from which to complain.
Re: Doesn't sound like they got their money's wort by Wycliffe · 2017-12-07 10:15 · Score: 2

If a security researcher found a bug and refused to disclose it without being paid, I would probably not consider this extortion even if they downloaded all the records.
I also wouldn't consider it extortion if they threatened to disclose the bug or even sell the bug.
Where it crosses the line is if they threaten to sell or give away those records if they don't get paid.