Euro Security Watch with Mathew J. Schwartz

Report: Uber Paid Florida 20-Year-Old $100,000 Over Hack Takeaway: 'Bug Bounty' Plus NDA Still Looks Like Hush Money
Report: Uber Paid Florida 20-Year-Old $100,000 Over Hack
Photo: Andrew Caballero-Reynolds/AFP/Getty Images

The hacker to whom Uber paid $100,000 to destroy user data he'd obtained and keep quiet about the big, bad breach is a 20-year-old man living in Florida, Reuters reports (see Uber Concealed Breach of 57 Million Accounts for a Year).

See Also: Ransomware: The Look at Future Trends

Uber didn't immediately respond to a request for comment.

"If it had been a legitimate bug bounty, it would have been ideal for everyone involved to shout it from the rooftops." 

Reuters, which says it wasn't able to ascertain the man's identity, says that a source described the hacker as "living with his mom in a small home trying to help pay the bills" and said Uber's security team chose not to pursue legal measures against him as it believed he posed no further threat.

The man signed a nondisclosure agreement and submitted his systems for a full digital forensic analysis to verify that all Uber data had been expunged, Reuters reports.

Desperately Seeking Details

Excerpt from Uber's sample breach notification letter to victims, dated Nov. 22, 2017.

More details about the massive Uber data breach that it first disclosed on Nov. 21 continue to come to light.

"None of this should have happened, and I will not make excuses for it," Dara Khosrowshahi, who stepped into the driver's seat at Uber as CEO in September, said in a Nov. 21 statement. "We are changing the way we do business."

Despite senior officials inside Uber knowing about the breach for more than a year, however, and Khosrowshahi launching a thorough investigation more than two months ago after he learned about it, the ride-sharing platform has yet to come clean on multiple fronts.

6 Uber Breach Questions

Here's a short list of outstanding Uber data breach questions:

  • Why did Uber wait more than a year to alert 57 million riders and drivers that their data may have been compromised?
  • How many data breach notification laws in how many countries has Uber violated, and how massive are the fines it potentially faces? (See Driving Privacy Regulators Crazy: UK Probes Uber Breach)
  • Why did the ride-hailing platform fire CSO Joe Sullivan and his deputy two weeks ago, allegedly for how they handled the breach, which the company discovered in November 2016? (See Fast and Furious Data Breach Scandal Overtakes Uber)
  • Did former CEO Travis Kalanick know about - and cover up - the breach?
  • What were the circumstances of Uber's payments - characterized as bug bounty rewards - to two security researchers?
  • Will it take hearings in Congress - fresh from grilling former Equifax and Yahoo executives - to finally get solid answers to all of these questions?

Legitimate Bug Bounty?

News of the $100,000 payoff was first reported by Bloomberg in the wake of Uber's breach notification.

Uber's HackerOne program overview, pictured on Dec. 7, 2017.

Unanswered questions still remain over whether the payment was a bug bounty or hush money, potentially in response to an extortion demand.

On the bug bounty front, Uber participates in a bug bounty program run by HackerOne, which hosts programs for a number of technology companies.

But the scale of the payment exceeds any bug bounty awarded via the program to date.

"If it had been a legitimate bug bounty, it would have been ideal for everyone involved to shout it from the rooftops," Luta Security founder Katie Moussouris, a former HackerOne executive, tells Reuters.

If it was a legitimate bug bounty payment, why didn't Uber come clean and comply with laws that require anyone whose personal information may have been exposed to be notified?

Furthermore, why did Khosrowshahi, Uber's new CEO, wait more than two months before issuing the company's first public alert to victims? (See Did Uber Break Breach Notification Minimum-Speed Limits?)

GitHub: TMI Alert

Besides the $100,000 payoff to the Florida-based hacker, Reuters reports that Uber also paid a second individual in connection with sensitive information unearthed via Uber code shared to the GitHub code-sharing service. It's not clear if it was this data, uploaded by Uber to GitHub, that may have enabled the Florida man to access Uber's systems.

A GitHub spokeswoman tells me that "this was not the result of a failure of GitHub's security," although declined to comment further on individual accounts. Instead, she warned: "Our recommendation is to never store access tokens, passwords, or other authentication or encryption keys in the code. If the developer must include them in the code, we recommend they implement additional operational safeguards to prevent unauthorized access or misuse."

Uber didn't immediately respond to a request for comment.

But this wouldn't be the first time Uber insiders apparently overshared to GitHub. In early 2015, Uber warned that it suffered a breach in September 2014 after it inadvertently posted application programming interfaces for its website to GitHub. Uber then requested that a court order a subpoena of GitHub to obtain a complete list of all users who accessed the a GitHub "gist" - repository - that contained an API as well as script for directly accessing Uber's back-end systems (see Uber Breach Affects 50,000 Drivers).

GitHub declined to comment about whether Uber issued a similar subpoena demand in the wake of this latest incident. "Due to legal and privacy concerns, we cannot comment on any matters relating to subpoenas for user account data," the spokeswoman says. But the company did confirm that the two incidents involving posts to GitHub that inadvertently contained sensitive information were not connected.

Uber didn't immediately respond.

This story has been updated with comment from GitHub.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network