A young 20-year-old hacker from Florida, USA, who still lives with his mother hacked Uber. Last year, 57 million Uber users’, including 600,000 drivers’, data was stolen in a breach.
Reuters was informed that Uber transferred $100,000 in order to cover up the breach through its bug bounty program. The bounty program is run by security firm HackerOne which provides its platform to a range variety of technology companies.
The amount is also extremely unusual and more than 10 times higher than regular bug bounty program payments, that are typically in the $5,000 to $10,000 range.
Uber indicated that the payment was transferred so they could reveal the attacker’s identity and also have the attacker sign a non-disclosure agreement (NDA) in order to prevent future attacks. However, the identity of the hacker is still unknown.
It remains unclear who made the final decision to authorize the payment to the hacker and to keep the breach secret.
The attacker’s computer was apparently checked and analyzed in order to confirm that all the stolen data had been deleted but it is unknown if the attacker still has the data in other devices and the validity of an NDA struck with the hacker is also under the question marks.
One source described the hacker as “living with his mom in a small home trying to help pay the bills”, by also adding that Uber’s security team noted that the 20-year-old man does not cause any further threat.
The hacker is said to have paid another person so he can access Uber GitHub account in which the company’s Amazon Web Services credentials were stored.
Dara Khosrowshahi, businessman and the CEO of Uber was shocked when he found out about the breach in 2016.
At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.
The stolen information included that of 600,000 US drivers and even 2.7 million riders and drivers in the UK. However, these numbers are only estimated, and the exact number of affected Uber’s users is still unknown.
The data breach also could harm Uber’s opportunities of changing a decision by Transport for London also known as TfL to withdraw its private operator license.