Uber paid $100,000 to a 20-year-old Florida man responsible for the recently disclosed data breach that compromised the personal information of 57 million riders and drivers in 2016, multiple sources told Reuters. The company only came clean about the hack 13 months after it took place, as Uber's former chief of security paid the hacker $100,000 under the guise of a bug bounty to keep it under wraps.
Three people familiar with the incident said an unidentified Florida man contacted Uber after breaching a server in October and stealing information including the names and email addresses of ride-share users in the US and overseas, Reuters reported Wednesday.
They could not find the identity of the hacker or the person who helped him and Uber is still not saying anything about the hack.
It is widely believed that CEO Travis Kalanick was aware of the breach and bug bounty payment in November of past year. Since that time, CEO Travis Kalanick stepped down and was replaced by Dara Khosrowshahi in August.
Uber paid the man to delete the data through a "bug bounty" program hosted by the company HackerOne.
Uber could be in more hot water after it was reported that the taxi service had allegedly used its bug bounty program to pay a hacker to destroy the data he had stolen.
Uber spokesman Matt Kallman declined to comment to Reuters.
Uber also then conducted a forensic analysis of the hacker's machine to make sure the data had been purged, the sources reportedly said. The pilfered data included personal information such as names, email addresses and driver's license numbers, but not Social Security numbers and credit card information, the company said. He did say that in every case when there is a bug bounty award it processes through them.
Uber's failure to report the breach to regulators, even though it may have felt it had dealt with the problem, was an error, according to people inside and outside the company who spoke to Reuters. It is unclear whether Clark informed Uber's legal department, which typically handled disclosure issues. The bounty program is meant to reward security researchers who bring bugs to the company's attention so that a fix can be put into place.