Uber hacker is a 20-year old man from Florida (allegedly)

Share

The high payment through a bug bounty programme should have raised a few alarm bells.

Reuters claims that the person responsible for the hack on Uber, in which more than 57 million client and driver records were stolen, is a 20-year old man from Florida "living with his mom [sic] in a small home trying to help pay the bills", according to sources.

Uber said it paid $100,000 to the data thieves at the time to delete the information.

Uber made the payment previous year through a program created to reward security researchers who report flaws in a company's software, these people said. As per a report by Reuters, the payment to the hacker was made via Uber's bug bounty program hosted by HackerOne. Reuters said Uber made the man sign a nondisclosure agreement, and verified that the data had been erased.

It is widely believed that CEO Travis Kalanick was aware of the breach and bug bounty payment in November of a year ago.

This all has a distinct whiff of bad practice about it, something which has plagued Uber of late, what with losing its London license and the rather nasty actions of former chief executive Travis Kalanick.

HackerOne CEO Marten Mickos told Reuters he could not discuss an individual customer's programs. HackerOne receives the personal information of the person paid in a W-9 or W-8BEN form before any payment can be made.

DOJ: Nearly $7 Million Spent on Russia Probe in 5 Months
The independent counsel spent more than $60 million over the course of that six-year inquiry into then-President Bill Clinton. Last week, former national security adviser Michael Flynn pleaded guilty to lying to Federal Bureau of Investigation agents.

As per the report, Uber also conducted a forensic analysis of hacker's machine to make sure that no traces of data were left behind.

GitHub said the attack did not involve a failure of its security systems.

Uber has come under fire since disclosing the data breach last month more than a year after the fact, and the incident is now being reviewed by state and federal regulators in the USA and overseas.

Bug bounty programs are designed mainly to give security researchers an incentive to report weaknesses they uncover in a company's software.

Uber had not responded to Silicon UK at the time of writing. He did say that in every case when there is a bug bounty award it processes through them.

Uber fired its chief security officer, Joe Sullivan, and a deputy, attorney Craig Clark, over their roles in the incident. The breach occurred in October 2016, but was not revealed until last month.

The revelation has gotten the startup in hot water with regulators and prosecutors.

Share