It turns out that a 20-year old man from Florida was responsible for the massive security breach at Uber Technologies Inc occurred last year and was paid by the company to destroy the stolen data and keep the incident a secret.
Uber announced about the security breach on Nov 21st saying 2 hackers stole personal data of 57 million customers, including 600,000 drivers in the United States from a third-party cloud server that the company is using and paid $100,000 in ransom to destroy the data. The stolen information contained names, email addresses, and mobile phone numbers including the driver’s license numbers but it didn’t include the trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth. However, the company did not disclose the identities or information about the hackers or how it paid them.
Now three unknown sources familiar with the incident told Reuters that Uber made the payment through HackerOne platform, a company that helps tech companies to host their bug bounty and vulnerability disclosure program on their platform. The Florida hacker paid an unknown amount to the second person for services that involved accessing GitHub. However, the identities of the Florida man and the other who helped him carry out the hack were unable to obtain.
Although HackerOne does not play any role in deciding the rewards on behalf of companies it sure receives the information about the identity of the recipient via an IRS W-9 or W-8BEN form before payment of the award can be made. HackerOne CEO Marten Mickos said he could not discuss an individual customer’s programs. This implies that some of the company’s employees know the identity of the hacker but chose not to disclose any information as the individual did not pose any future threat to the company.
The sources also told that Uber made sure all the stolen data is wiped out through a forensic analysis of the hacker’s computer and made the hacker sign a nondisclosure agreement to prevent any further wrongdoings.
The new CEO of Uber Dara Khosrowshahi has reportedly fired two of Uber’s top Security Officers, and one of his deputies, Craig Clark, who worked to keep the data breach quiet. The former CEO Travis Kalanick who stepped down as Uber CEO in June was aware of the breach and bug bounty payment in November of last year but declined to comment on the issue.
“None of this should have happened, and I will not make excuses for it. While I cannot erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” Khosrowshahi said.
“We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
Last week, three more top Uber security managers resigned, including Sullivan’s chief of staff Pooja Ashok, senior security engineer Prithvi Rai, and physical security chief Jeff Jones.