Uber has reportedly paid $100,000 as a pay-off to a hacker who stole the personal data of some 57 million users and passed it off as a bug bounty program.
Bug bounty programs are usually monetary rewards paid to white-hat hackers and security researchers for discovering bugs and vulnerabilities. In Uber’s case, the ride-hailing giant reportedly disguised a $100,000 pay-off to a hacker as a bug bounty payment in order to destroy the data stolen during a breach in 2016.
The revelations only came to light a month ago, with Uber admitting to the theft of the personal details of 57 million users, including 600,000 drivers in the United States following a breach in October 2016.
According to Reuters, Uber paid the hacker $100,000 to destroy the information through a bug bounty hosted via HackerOne, a platform used by companies across multiple industries to host bug bounty programs.
“A payment of $100,000 through a bug bounty program would be extremely unusual, with one former HackerOne executive saying it would represent an “all-time record,” the Reuters report read. “Security professionals said rewarding a hacker who had stolen data also would be well outside the normal rules of a bounty program, where payments are typically in the $5,000 to $10,000 range.”
Reuters also cites sources in revealing that Uber confirmed the hacker’s identity to have him sign a non-disclosure agreement to quell any further wrongdoing. Following the payment, Uber also conducted a forensic analysis of the hacker’s machine to ensure the data had been destroyed completely.
Uber’s new CEO Dara Khosrowshahi fired the company’s chief security officer Joe Sullivan and a deputy, attorney Craig Clark for their roles in the ‘cover-up’ of the breach, effectively letting go of the top two security officials at Uber.
Image credit: Pexels.