(Reuters) — A 20-year-old Florida man was liable for the big knowledge breach at Uber final 12 months and was paid by Uber to destroy the information by a so-called “bug bounty” program usually used to establish small code vulnerabilities, three individuals aware of the occasions have advised Reuters.
Uber introduced on Nov. 21 that the non-public knowledge of 57 million customers, together with 600,000 drivers in the US, had been stolen in a breach that occurred in October 2016, and that it paid the hacker $100,000 to destroy the knowledge. However the firm didn’t reveal any details about the hacker or the way it paid him the cash.
Uber made the cost final 12 months by a program designed to reward safety researchers who report flaws in an organization’s software program, these individuals mentioned. Uber’s bug bounty service – as such a program is understood within the trade – is hosted by an organization known as HackerOne, which gives its platform to quite a lot of tech corporations.
Reuters was unable to ascertain the identification of the hacker or one other one who sources mentioned helped him. Uber spokesman Matt Kallman declined to touch upon the matter.
Newly appointed Uber Chief Government Dara Khosrowshahi fired two of Uber’s prime safety officers when he introduced the breach final month, saying the incident ought to have been disclosed to regulators on the time it was found, a few 12 months earlier than.
It stays unclear who made the ultimate resolution to authorize the cost to the hacker and to maintain the breach secret, although the sources mentioned then-CEO Travis Kalanick was conscious of the breach and bug bounty cost in November of final 12 months.
Kalanick, who stepped down as Uber CEO in June, declined to touch upon the matter, in keeping with his spokesman.
A cost of $100,000 by a bug bounty program could be extraordinarily uncommon, with one former HackerOne government saying it will symbolize an “all-time document.” Safety professionals mentioned rewarding a hacker who had stolen knowledge additionally could be effectively exterior the conventional guidelines of a bounty program, the place funds are sometimes within the $5,000 to $10,000 vary.
HackerOne hosts Uber’s bug bounty program however doesn’t handle it, and performs no position in deciding whether or not payouts are acceptable or how massive they need to be.
HackerOne CEO Marten Mickos mentioned he couldn’t talk about a person buyer’s packages. “In all instances when a bug bounty award is processed by HackerOne, we obtain figuring out data of the recipient within the type of an IRS W-9 or W-8BEN kind earlier than cost of the award could be made,” he mentioned, referring to U.S. Inner Income Service types.
In keeping with two of the sources, Uber made the cost to substantiate the hacker’s identification and have him signal a nondisclosure settlement to discourage additional wrongdoing. Uber additionally carried out a forensic evaluation of the hacker’s machine to ensure the information had been purged, the sources mentioned.
One supply described the hacker as “dwelling along with his mother in a small house making an attempt to assist pay the payments,” including that members of Uber’s safety group didn’t wish to pursue prosecution of a person who didn’t seem to pose an additional menace.
The Florida hacker paid a second particular person for providers that concerned accessing GitHub, a website extensively utilized by programmers to retailer their code, to acquire credentials for entry to Uber knowledge saved elsewhere, one of many sources mentioned.
GitHub mentioned the assault didn’t contain a failure of its safety programs. “Our suggestion is to by no means retailer entry tokens, passwords, or different authentication or encryption keys within the code,” that firm mentioned in a press release.
“Shout it from the rooftops”
Uber acquired an e mail final 12 months from an nameless particular person demanding cash in alternate for consumer knowledge, and the message was forwarded to the corporate’s bug bounty group in what was described as Uber’s routine observe for such solicitations, in keeping with three sources aware of the matter.
Bug bounty packages are designed primarily to present safety researchers an incentive to report weaknesses they uncover in an organization’s software program. However sophisticated situations can emerge when coping with hackers who acquire data illegally or search a ransom.
Some corporations select to not report extra aggressive intrusions to authorities on the grounds that it may be simpler and simpler to barter immediately with hackers so as to restrict any hurt to clients.
Uber’s $100,000 payout and silence on the matter on the time was extraordinary beneath such a program, in keeping with Luta Safety founder Katie Moussouris, a former HackerOne government.
“If it had been a respectable bug bounty, it will have been ideally suited for everybody concerned to shout it from the rooftops,” Moussouris mentioned.
Uber’s failure to report the breach to regulators, although it could have felt it had handled the issue, was an error, in keeping with individuals inside and outdoors the corporate who spoke to Reuters.
“The creation of a bug bounty program doesn’t permit Uber, their bounty service supplier, or another firm the power to resolve that breach notification legal guidelines don’t apply to them,” Moussouris mentioned.
Uber fired its chief safety officer, Joe Sullivan, and a deputy, lawyer Craig Clark, over their roles within the incident.
“None of this could have occurred, and I cannot make excuses for it,” Khosrowshahi, mentioned in a weblog submit asserting the hack final month.
Clark labored immediately for Sullivan but in addition reported to Uber’s authorized and privateness group, in keeping with three individuals aware of the association. It’s unclear whether or not Clark knowledgeable Uber’s authorized division, which usually dealt with disclosure points.
Sullivan and Clark didn’t reply to requests for remark.
In an August interview with Reuters, Sullivan, a former prosecutor and Fb safety chief, mentioned he built-in safety engineers and builders at Uber “with our attorneys and our public coverage group who know what regulators care about.”
Final week, three extra prime managers in Uber’s safety unit resigned. One in every of them, bodily safety chief Jeff Jones, later advised others he would have left anyway, sources advised Reuters. One other of the three, senior safety engineer Prithvi Rai, later agreed to remain in a brand new position.
(Reporting by Joseph Menn in San Francisco and Dustin Volz in Washington; Extra reporting by Heather Somerville and Stephen Nellis in San Francisco; Enhancing by Jonathan Weber and Invoice Rigby)