iTnews
  • Home
  • News
  • Technology
  • Security

Uber hacker is a 20 yr-old Florida man

By Joseph Menn , Dustin Volz on Dec 7, 2017 3:19PM
Uber hacker is a 20 yr-old Florida man

Paid to keep quiet in bug bounty.

A 20-year-old Florida man was responsible for a massive data breach at Uber last year and was paid by Uber to destroy the data through a bug bounty program, three people familiar with the events have told Reuters.

Uber announced late last month that the personal data of 57 million users, including 600,000 drivers in the United States, were stolen in a breach that occurred in October 2016.

It also revealed that it had paid the hacker US$100,000 to destroy the information. But the company did not reveal any information about the hacker or how it paid him the money.

Uber made the payment last year through a bug bounty program designed to reward security researchers who report flaws in a company’s software, the three people said.

Uber’s bug bounty service is hosted by a company called HackerOne, which offers its platform to a number of tech companies.

Reuters was unable to establish the identity of the hacker or another person who sources said helped him. Uber spokesman Matt Kallman declined to comment on the matter.

Newly appointed Uber chief executive Dara Khosrowshahi fired two of Uber’s top security officials when he announced the breach last month, saying the incident should have been disclosed to regulators at the time it was discovered, about a year before.

It remains unclear who made the final decision to authorise the payment to the hacker and to keep the breach secret, though the sources said then-CEO Travis Kalanick was aware of the breach and bug bounty payment in November of last year.

Kalanick, who stepped down as Uber CEO in June, declined to comment on the matter, according to his spokesman.

A payment of US$100,000 through a bug bounty program would be extremely unusual, with one former HackerOne executive saying it would represent an “all-time record".

Security professionals said rewarding a hacker who had stolen data also would be well outside the normal rules of a bounty program, where payments are typically in the US$5000 to US$10,000 range.

HackerOne hosts Uber’s bug bounty program but does not manage it, and plays no role in deciding whether payouts are appropriate or how large they should be.

HackerOne CEO Marten Mickos said he could not discuss an individual customer’s programs.

“In all cases when a bug bounty award is processed through HackerOne, we receive identifying information of the recipient in the form of an IRS W-9 or W-8BEN form before payment of the award can be made,” he said, referring to US Internal Revenue Service forms.

According to two of the sources, Uber made the payment to confirm the hacker’s identity and have him sign a nondisclosure agreement to deter further wrongdoing.

Uber also conducted a forensic analysis of the hacker’s machine to make sure the data had been purged, the sources said.

One source described the hacker as “living with his mum in a small home trying to help pay the bills,” adding that members of Uber’s security team did not want to pursue prosecution of an individual who did not appear to pose a further threat.

The Florida hacker paid a second person for services that involved accessing GitHub to obtain credentials for access to Uber data stored elsewhere, one of the sources said.

GitHub said the attack did not involve a failure of its security systems.

Uber last month said the attacker had managed to gain access into the private Github repository of Uber software developers and use the credentials within to access data stored on an Amazon Web Services server.

“Our recommendation is to never store access tokens, passwords, or other authentication or encryption keys in the code,” GitHub said in a statement.

‘Shout it from the rooftops'

Uber received an email last year from an anonymous person demanding money in exchange for user data, and the message was forwarded to the company’s bug bounty team in what was described as Uber’s routine practice for such solicitations, according to three sources familiar with the matter.

Bug bounty programs are designed mainly to give security researchers an incentive to report weaknesses they uncover in a company’s software. But complicated scenarios can emerge when dealing with hackers who obtain information illegally or seek a ransom.

Some companies choose not to report more aggressive intrusions to authorities on the grounds that it can be easier and more effective to negotiate directly with hackers in order to limit any harm to customers.

Uber’s US$100,000 payout and silence on the matter at the time was extraordinary under such a program, according to Luta Security founder Katie Moussouris, a former HackerOne executive.

“If it had been a legitimate bug bounty, it would have been ideal for everyone involved to shout it from the rooftops,” Moussouris said.

Uber’s failure to report the breach to regulators, even though it may have felt it had dealt with the problem, was an error, according to people inside and outside the company who spoke to Reuters.

“The creation of a bug bounty program doesn’t allow Uber, their bounty service provider, or any other company the ability to decide that breach notification laws don’t apply to them,” Moussouris said.

Uber fired its chief security officer, Joe Sullivan, and a deputy, attorney Craig Clark, over their roles in the incident.

“None of this should have happened, and I will not make excuses for it,” Khosrowshahi, said in a blog post announcing the hack last month.

Clark worked directly for Sullivan but also reported to Uber’s legal and privacy team, according to three people familiar with the arrangement. It is unclear whether Clark informed Uber’s legal department, which typically handled disclosure issues.

Sullivan and Clark did not respond to requests for comment.

Last week, three more top managers in Uber’s security unit resigned. One of them, physical security chief Jeff Jones, later told others he would have left anyway, sources told Reuters. Another of the three, senior security engineer Prithvi Rai, later agreed to stay in a new role.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright Reuters
© 2019 Thomson Reuters. Click for Restrictions.
Tags:
hackreuterssecurityuber

Partner Content

Avoiding CAPEX by making on-premise IT more cloud-like
Promoted Content Avoiding CAPEX by making on-premise IT more cloud-like
"We're seeing some good policy put in place, but that's the exception"
Partner Content "We're seeing some good policy put in place, but that's the exception"
Security "mindset shift" needed to protect organisations
Promoted Content Security "mindset shift" needed to protect organisations
The Great Resignation has intensified insider security threats
Promoted Content The Great Resignation has intensified insider security threats

Sponsored Whitepapers

Extracting the value of data using Unified Observability
Extracting the value of data using Unified Observability
Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership

Events

  • Micro Focus Information Management & Governance (IM&G) Forum 2022
  • CRN Channel Meets: CyberSecurity Live Event
  • IoT Insights: Secure By Design for manufacturing
  • Cyber Security for Government Summit
By Joseph Menn
Dustin Volz
Dec 7 2017
3:19PM
0 Comments

Related Articles

  • 'Back from vacation' - Lapsus$ hackers claim breach of Globant
  • SEC to Wall Street: Security incidents need disclosure
  • US accuses couple of laundering $6.3 billion in bitcoin
  • News Corp email accounts targeted by hackers
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Qantas calls time on IBM, Fujitsu in tech modernisation

Qantas calls time on IBM, Fujitsu in tech modernisation

Service NSW hits digital services goal two years early

Service NSW hits digital services goal two years early

NBN Co taking orders for 'non-premises' connections

NBN Co taking orders for 'non-premises' connections

NSW Police scores $100m to connect body-cams to firearms, tasers

NSW Police scores $100m to connect body-cams to firearms, tasers

Digital Nation

COVER STORY: Operationalising net zero through the power of IoT
COVER STORY: Operationalising net zero through the power of IoT
Crypto experts optimistic about future of Bitcoin: Block
Crypto experts optimistic about future of Bitcoin: Block
The security threat of quantum computing
The security threat of quantum computing
IBM global chief data officer on the rise of the number crunchers
IBM global chief data officer on the rise of the number crunchers
Integrity, ethics and board decisions in the digital age
Integrity, ethics and board decisions in the digital age
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.