In November, the CEO of Uber revealed that the corporate had paid a hacker $100,000 to delete knowledge obtained from a 2016 breach through which 57 million Uber clients’ and drivers’ names, electronic mail addresses, and telephone numbers have been uncovered. However the firm didn’t reveal who the hacker was or how the fee was made.
A Reuters report now casts a bit extra gentle on how the corporate hid its blackmail fee—the cash was paid out to an as-yet-unidentified Florida man by way of Uber’s bug bounty program, now managed by HackerOne. How Uber officers confirmed the deletion of the information has not been revealed, and numerous US senators have requested for an investigation into the breach, citing questions on why Uber did not contact legislation enforcement.
Uber’s CEO, Dara Khosrowshahi, stated in a weblog publish concerning the breach that “two people exterior the corporate had inappropriately accessed consumer knowledge saved on a third-party cloud-based service that we use,” and that no fee knowledge was uncovered. However the driver’s license knowledge for about 600,000 Uber drivers was stolen, as was contact knowledge for 57 million clients and drivers. “On the time of the incident,” Khosrowshahi stated, “we took instant steps to safe the information and shut down additional unauthorized entry by the people. We subsequently recognized the people and obtained assurances that the downloaded knowledge had been destroyed. We additionally applied safety measures to limit entry to and strengthen controls on our cloud-based storage accounts.”
Khosrowshahi stated he had solely just lately realized of the breach and had ordered an inner investigation. Two unidentified safety staff members at Uber who handled the breach have been fired.
HackerOne’s public statistics on the Uber bounty program present that Uber has paid out $1,289,595 in bounties over the lifetime of this system thus far, together with one for the $10,000 most specified by Uber to a UK-based researcher for essential bugs. However there are not any public fee particulars for HackerOne profiles that quantity to the $100,000 Uber reviews to have paid for the information destruction or any string of bounties to a single person who add as much as that quantity, so it is clear the fee wasn’t made by way of the general public HackerOne program. A former HackerOne official advised Reuters’ Joseph Menn and Dustin Volz that such a fee would quantity to an “all-time report” fee by way of a bug bounty program.
Casey Ellis, founder and CTO of the bug bounty administration firm BugCrowd, expressed concern about how an organization may cross off a blackmail fee as a bug bounty program with out elevating issues or alarms. “From an moral standpoint,” Ellis stated, “this growth creates confusion and doubtlessly damages the expansion of the researcher/vendor relationship—even supposing it was clearly an extortion payout, and never a real Bug Bounty payout.”
A HackerOne spokesperson advised Ars that the corporate had no touch upon the matter. Uber additionally is just not commenting on the Reuters story. However utilizing a bug bounty on this means wouldn’t be the primary of Uber’s ethically questionable (and in some circumstances legally questionable) expertise shenanigans, together with creating pretend consumer accounts on competitor Lyft’s system to assist mine driver and pricing knowledge in an try to establish which drivers labored for each Uber and Lyft.