Uber Used Bug Bounty Cash To Pay Hacker To Keep Quiet – Report

Uber could be in more hot water after it was reported that the taxi service had allegedly used its bug bounty program to pay a hacker to destroy the data he had stolen.

On 21 November Uber admitted it had suffered a hack back in October 2016 which saw the theft of personal information of 57 million customers and 600,000 drivers.

But the firm caused much anger when it was revealed it had actually paid the hacker $100,000 to conceal the information for over a year.

Payoff Allegation

Uber never revealed any information about the hacker or how it paid him the money, but it later confirmed that 2.7 million UK customers had their personal details stolen, as regulators stepped in to investigate the breach.

But now three people familiar with the events have told Reuters that Uber used its so-called “bug bounty” program normally used to identify small code vulnerabilities, to pay off the hacker (said to be an unidentified 20-year-old man in Florida).

Uber’s bug bounty service is hosted by a company called HackerOne, which offers its platform to a number of tech companies.

It is important to note that HackerOne only hosts Uber’s bug bounty program but does not manage it. Indeed, it plays no role in payout decisions.

HackerOne CEO Marten Mickos told Reuters he could not discuss an individual customer’s programs. “In all cases when a bug bounty award is processed through HackerOne, we receive identifying information of the recipient in the form of an IRS W-9 or W-8BEN form before payment of the award can be made,” he said, referring to US Internal Revenue Service forms.

According to two of Reuters’ sources, Uber made the payment to confirm the hacker’s identity and have him sign a non-disclosure agreement to deter further wrongdoing.

Uber also then conducted a forensic analysis of the hacker’s machine to make sure the data had been purged, the sources reportedly said.

Troubled Times

The allegation will make life more difficult for Uber CEO Dara Khosrowshahi, who had only became aware of the breach recently, as he had only joined the company in August.

Khosrowshahi was hired amid concerns about the practices and ethics of previous members of the senior management team.

Previous-CEO Travis Kalanick had stepped down in June 2017.

Once he became aware of the hack, Khosrowshahi reportedly sacked the company’s chief security officer and one of his deputies for their roles in hiding the hack, as well as for making the payment.

It remains unclear who made the final decision to authorise the payment to the hacker and to keep the breach secret, although the Reuters sources said then-CEO Kalanick was aware of the breach and bug bounty payment in November of last year.

Uber had not responded to Silicon UK at the time of writing.

Read More: What on Earth was Uber thinking?

Financial Repercussions?

Uber is already under fire for not disclosing the hack earlier to authorities and could be hit with stiff financial penalties.

Had the incident taken place after the introduction of the EU’s General Data Protection Regulations (GDPR) next May, the penalties could have been more severe.

The GDPR is to replace the Data Protection Act (DPA) 1998, and the British government has confirmed the referendum to leave the EU will not affect the regulations’ implementation in the UK.

The new rules will, amongst other things, vastly increase the power of European data protection authorities to impose fines, with organisations facing penalties of up to 20 million euros, or 4 percent of their annual worldwide turnover, whichever is greater.

By contrast, the Information Commissioners Office can currently only impose fines of up to £500,000.

Quiz: What do you know about Uber?