Uber reportedly paid a 20-year-old Florida man $100,000 via a bug reporting reward system to keep the data breach of 57 million users information a secret.
Reuters reports that a 20-year-old man from Florida was behind the data breach last year that saw the information of 57 million Uber users and drivers exposed. Uber covered up the hack for over a year, only revealing the data breach in November, and paid the man to delete the stolen data using a “bug bounty” system, usually used to pay coders that spot code vulnerabilities.
Uber reportedly used their bug bounty service, hosted by a company called HackerOne, to transfer the payment to the man. A payment of that size through a bug bounty system would be highly irregular, and one former HackerOne executive said that such a payment would be an “all-time record.”
Two sources told Reuters that the payment was made to the hacker to confirm his identity and have him sign nondisclosure agreements in order to keep the hack under wraps. They reported Uber’s security team did not feel the need to further pursue action against an individual that they believed posed no further threat.
Three senior security managers at Uber stepped down last week as the company attempts to deal with the fallout from the data breach. Uber CEO Dara Khosrowshahi has condemned the actions of former security officer Joe Sullivan and how Uber handled the breach. “None of this should have happened, and I will not make excuses for it,” said Khosrowshahi.