Three separate sources have told Reuters that a 20-year old man from Florida was responsible for the massive data breach at Uber last year, in which more than 57 million client and driver records were stolen. The media outlet also alleges that Uber paid the hacker the $100,000 bribe to destroy the data through a bug bounty programme.
Uber announced that it paid to have the data destroyed when it admitted to the hack last month, but did not reveal how it sent the money.
‘People familiar with the matter' said that the payment was made through Uber's bug bounty service, which is hosted (but not managed) by a company called HackerOne. A former executive at the firm, Katie Moussouris, said that such a high payment would have been an "all-time record". Rewards for identifying bugs in code are more normally in the range of $5,000 - $10,000.
Moussouris added that the failure to report the breach was a grievous error: "The creation of a bug bounty program doesn't allow Uber, their bounty service provider or any other company the ability to decide that breach notification laws don't apply to them."
CEO Marten Mickos said that he could not comment on individual customers' programmes.
Two of the sources said that Uber made the payment to both confirm the attacker's identity and have him sign an NDA. They also analysed his machine to confirm that the data had been purged.
Dara Khosrowshahi, Uber's new CEO, fired two of of the company's security leaders when he found out about the breach, and acknowledged that it should have been reported when it was discovered.
Reuters' sources said that ex-CEO Travis Kalanick was aware of both the breach and payment when he led the company.
EE, O2, Vodafone, Three and Airspan open the bidding
Worried about data privacy? Here are several ways to secure your Facebook account
The ICO is seeking an urgent warrant to investigate a major data breach - everything you need to know as the story continues to unfold