Three separate sources have told Reuters that a 20-year old man from Florida was responsible for the massive data breach at Uber last year, in which more than 57 million client and driver records were stolen. The media outlet also alleges that Uber paid the hacker the $100,000 bribe to destroy the data through a bug bounty programme.
Uber announced that it paid to have the data destroyed when it admitted to the hack last month, but did not reveal how it sent the money.
‘People familiar with the matter' said that the payment was made through Uber's bug bounty service, which is hosted (but not managed) by a company called HackerOne. A former executive at the firm, Katie Moussouris, said that such a high payment would have been an "all-time record". Rewards for identifying bugs in code are more normally in the range of $5,000 - $10,000.
Moussouris added that the failure to report the breach was a grievous error: "The creation of a bug bounty program doesn't allow Uber, their bounty service provider or any other company the ability to decide that breach notification laws don't apply to them."
CEO Marten Mickos said that he could not comment on individual customers' programmes.
Two of the sources said that Uber made the payment to both confirm the attacker's identity and have him sign an NDA. They also analysed his machine to confirm that the data had been purged.
Dara Khosrowshahi, Uber's new CEO, fired two of of the company's security leaders when he found out about the breach, and acknowledged that it should have been reported when it was discovered.
Reuters' sources said that ex-CEO Travis Kalanick was aware of both the breach and payment when he led the company.
Banks, law firms and financial software suppliers in the UK, US and Russia targeted
Rolls-Royce chief digital officer Neil Crockett plans to use big data for efficiency and profit
Tackling security and global connectivity in logistics
AMD's Ryzen roadmap on track