Lone attacker, 20, paid by Uber to delete hacked data


2016 Data Security Incident | Uber Newsroom

In November, the CEO of Uber revealed that the company had paid a hacker $100,000 to delete data obtained from a 2016 breach in which 57 million Uber customers' and drivers' names, email addresses, and phone numbers were exposed.

HackerOne subsequently paid the person $100,000 in exchange for erasing the stole Uber data, the sources told Reuters. One source told Reuters that the hacker was "living with his mom in a small home trying to help pay the bills", and did not pose a further threat to Uber.

Mr Khosrowshahi fired two of the company's security officials, chief security officer Joe Sullivan and attorney Craig Clark, for their failure to disclose the breach to law enforcement at the time, instead choosing to cover it up.

But the firm caused much anger when it was revealed it had actually paid the hacker $100,000 to hide the information for over a year.

Reuters claims to have other sources that revealed that the hacker in question was forced to sign a non-disclosure agreement as part of the deal and to have his machine undergo forensic analysis to ensure that the data has been fully deleted.

CEO of HackerOne Marten Mickos commented that he could not talk about the programs of individual customers.

Health care spending slows down
Medicare spending grew 3.6% to $671.2 billion in 2016, compared with 4.8% in 2015, while reporting stable enrollment growth. Retail prescription spending increased 1.3% in 2016, growing to $328.6 billion - roughly 10% of overall health spending.

Uber's bug bounty service is hosted by a company called HackerOne, which offers its platform to a number of tech companies. That company merely hosts Uber's program, however; it has no say in how large payments can be or to whom they go.

This all has a distinct whiff of bad practice about it, something which has plagued Uber of late, what with losing its London license and the rather nasty actions of former chief executive Travis Kalanick.

Uber has come under fire since disclosing the data breach last month more than a year after the fact, and the incident is now being reviewed by state and federal regulators in the USA and overseas.

Uber had not responded to Silicon UK at the time of writing.

Had the incident taken place after the introduction of the EU's General Data Protection Regulations (GDPR) next May, the penalties could have been more severe.

Latest News