Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
  HOME     MENU     SEARCH     NEWSLETTER    
THE ENTERPRISE SECURITY SUPERSITE. UPDATED 13 MINUTES AGO.
You are here: Home / Data Security / Report: Uber Paid Off Florida Hacker
Report: Uber Paid Off Hacker To Destroy Stolen User Data
Report: Uber Paid Off Hacker To Destroy Stolen User Data
By Andrew Blake Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
DECEMBER
08
2017
Uber paid $100,000 to a 20-year-old Florida man responsible for the recently disclosed data breach that compromised the personal information of 57 million riders and drivers in 2016, multiple sources told Reuters.

Three people familiar with the incident said an unidentified Florida man contacted Uber after breaching a server in October and stealing information including the names and email addresses of ride-share users in the U.S. and abroad, Reuters reported Wednesday.

The culprit's message was forwarded to Uber's "bug bounty" team and ultimately made its way to HackerOne, a third-party company that awards researchers for revealing security flaws in clients' products.

HackerOne subsequently paid the person $100,000 in exchange for erasing the stole Uber data, the sources told Reuters.

Uber announced Nov. 21 that hackers breached a third-party server last year and stole the names and email addresses of 57 million users, among other personal information.

"At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals," Uber CEO Dara Khosrowshahi said in the announcement. "We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts."

Mr. Khosrowshahi learned of the incident after becoming Uber's chief executive in August, and he's since terminated two employees implicated in its response,Joe Sullivan, Uber's former head of security, and a deputy, attorney Craig Clark.

Another three members of Uber's security subsequently resigned from their roles last week.

Reuters didn't identify the Florida hacker by name, but a source described him as "living with his mom in a small home trying to help pay the bills."

Uber declined to pursue criminal charges after determining that the person didn't pose an additional threat and eventually paid the hacker after confirming their identity and making them sign a nondisclosure agreement, Reuters reported.

"In all cases when a bug bounty award is processed through HackerOne, we receive identifying information of the recipient in the form of an IRS W-9 or W-8BEN form before payment of the award can be made," HackerOne CEO Marten Mickos told Reuters.

Uber spokesman Matt Kallman declined to comment, the report said.

Uber has come under fire since disclosing the data breach last month more than a year after the fact, and the incident is currently being reviewed by state and federal regulators in the U.S. and abroad.

Sen. Bill Nelson, Florida Democrat, cited Uber's delayed admission while reintroducing legislation last week that carries prison time for corporate executives caught deliberately concealing data breaches such as the October 2016 incident.

"We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers," Mr. Nelson said in a statement. "Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what's best for consumers, the choice is clear."

© 2018 Washington Times under contract with NewsEdge/Acquire Media. All rights reserved.
Tell Us What You Think
Comment:

Name:

Like Us on FacebookFollow Us on Twitter
MORE IN DATA SECURITY

NETWORK SECURITY SPOTLIGHT
Fewer than one in 10 active Gmail users have enabled two-factor authentication, a free security measure meant to protect accounts against unauthorized access, a Google software engineer says.
ENTERPRISE SECURITY TODAY
NEWSFACTOR NETWORK SITES
NEWSFACTOR SERVICES
© Copyright 2018 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.