Uber paid hacker $100G to keep data breach previous year a secret

Uber hasn't identified the hacker it paid $100,000 to last year but Reuters reports its a 20-year-old man in Florida.                  Getty Images

Uber hasn't identified the hacker it paid $100,000 to last year but Reuters reports its a 20-year-old man in Florida. Getty Images

A 20-year-old Florida man was responsible for the data breach at Uber last year, and was paid $100,000 to destroy the information, Reuters reported Wednesday. Uber paid him $100,000 through a "bug bounty" program to destroy the data, Reuters said.

The lawsuits claim Uber put users at risk by failing to report the hack and secretly handling it internally.

In order to cover the attack up, Uber used its bug bounty service hosted by HackerOne.

Sources familiar with the hack told Reuters the payment was made through a program created to reward bug hunters who report flaws in a company's software.

New Uber CEO Dara Khosrowshahi fired a pair of top Uber security officials when the company announced the incident, saying regulators should have been told when the breach was discovered, approximately one year prior.

While the exact identity of the hacker hasn't been revealed, it's being suspected that then-CEO Travis Kalanick was aware of the breach and payment.

We've reached out to Uber for comment and will update when we hear back.

Snow and ice warning issued for north-west
Met Éireann forecaster John Eagleton said there is unlikely to be snow during the daytime but snow will gather on higher ground. There may be a light dusting of snow around the country, and it may stick in places in the north and northwest.

The payment was made through a bug hunter scheme called HackerOne, created to reward security researchers who identify weaknesses and issues in a company's software. HackerOne's CEO said that he couldn't discuss an individual customer's programs. He did say that in every case when there is a bug bounty award it processes through them.

Apparently, the hacker had to sign a non-disclosure agreement to keep his trap shut about the whole incident, and Uber sent cybersecurity boffins around to make sure the swiped data was indeed purged from his computer.

The most interesting part, which is hacker's description according to a source - "Living with his mom in a small home trying to help pay the bills".

GitHub said the attack did not involve a failure of its security systems.

Bug bounty programs are designed mainly to give security researchers an incentive to report weaknesses they uncover in a company´s software.

Katie Moussouris, a former HackerOne executive, told Reuters that Uber's payout and silence at the time was extraordinary under such a program. Hopefully this will serve as a lesson to other companies going forward.

Latest News