SAN FRANCISCO/WASHINGTON – A 20-year-old Florida man used to be answerable for the huge data breach at Uber Technologies Inc ultimate 12 months and used to be paid by means of Uber to spoil the data thru a so-called “bug bounty” program generally used to determine small code vulnerabilities, 3 other people acquainted with the occasions have advised Reuters.
Uber introduced on Nov. 21 that the non-public data of 57 million passengers and 600,000 drivers have been stolen in a breach that took place in October 2016, and that it paid the hacker $100,000 to spoil the guidelines. But the corporate didn’t expose any details about the hacker or the way it paid him the cash.
Uber made the fee ultimate 12 months thru a program designed to praise safety researchers who record flaws in an organization’s instrument, those other people stated. Uber’s computer virus bounty carrier – as this type of program is understood within the business – is hosted by means of an organization referred to as HackerOne, which provides its platform to numerous tech firms.
Reuters used to be not able to determine the id of the hacker or someone else who assets stated helped him. Uber spokesman Matt Kallman declined to remark at the subject.
Newly appointed Uber Chief Executive Dara Khosrowshahi fired two of Uber’s most sensible safety officers when he introduced the breach ultimate month, pronouncing the incident must had been disclosed to regulators on the time it used to be came upon, a few 12 months sooner than.
It stays unclear who made the general determination to authorize the fee to the hacker and to keep the breach secret, despite the fact that the assets stated then-CEO Travis Kalanick used to be acutely aware of the breach and insect bounty fee in November of ultimate 12 months.
Kalanick, who stepped down as Uber CEO in June, declined to remark at the subject, in accordance to his spokesman.
A fee of $100,000 thru a computer virus bounty program can be extraordinarily peculiar, with one former HackerOne govt pronouncing it could constitute an “all-time record.” Security pros stated rewarding a hacker who had stolen data additionally can be neatly outdoor the standard regulations of a bounty program, the place bills are generally within the $five,000 to $10,000 vary.
HackerOne hosts Uber’s computer virus bounty program however does now not organize it, and performs no position in deciding whether or not payouts are suitable or how huge they must be.
HackerOne CEO Marten Mickos stated he may just now not speak about a person buyer’s systems. “In all cases when a bug bounty award is processed through HackerOne, we receive identifying information of the recipient in the form of an IRS W-9 or W-8BEN form before payment of the award can be made,” he stated, referring to U.S. Internal Revenue Service bureaucracy.
According to two of the assets, Uber made the fee to ascertain the hacker’s id and feature him signal a nondisclosure settlement to deter additional wrongdoing. Uber additionally carried out a forensic research of the hacker’s device to make sure that the data were purged, the assets stated.
One supply described the hacker as “living with his mom in a small home trying to help pay the bills,” including that individuals of Uber’s safety group didn’t need to pursue prosecution of a person who didn’t seem to pose an additional danger.
The Florida hacker paid a 2nd particular person for services and products that concerned getting access to GitHub, a web page broadly utilized by programmers to retailer their code, to download credentials for get right of entry to to Uber data saved in different places, some of the assets stated.
GitHub stated the assault didn’t contain a failure of its safety methods. “Our recommendation is to never store access tokens, passwords, or other authentication or encryption keys in the code,” that corporate stated in a remark.
‘SHOUT IT FROM THE ROOFTOPS’
Uber won an e-mail ultimate 12 months from an nameless particular person not easy cash in change for consumer data, and the message used to be forwarded to the corporate’s computer virus bounty group in what used to be described as Uber’s regimen apply for such solicitations, in accordance to 3 assets acquainted with the subject.
Bug bounty systems are designed basically to give safety researchers an incentive to record weaknesses they discover in an organization’s instrument. But difficult eventualities can emerge when coping with hackers who download knowledge illegally or search a ransom.
Some firms make a choice now not to record extra competitive intrusions to government at the grounds that it may be more straightforward and more practical to negotiate without delay with hackers so as to restrict any hurt to consumers.
Uber’s $100,000 payout and silence at the subject on the time used to be peculiar below this type of program, in accordance to Luta Security founder Katie Moussouris, a former HackerOne govt.
“If it had been a legitimate bug bounty, it would have been ideal for everyone involved to shout it from the rooftops,” Moussouris stated.
Uber’s failure to record the breach to regulators, even if it should have felt it had handled the issue, used to be an error, in accordance to other people outside and inside the corporate who spoke to Reuters.
“The creation of a bug bounty program doesn’t allow Uber, their bounty service provider, or any other company the ability to decide that breach notification laws don’t apply to them,” Moussouris stated.
Uber fired its leader safety officer, Joe Sullivan, and a deputy, lawyer Craig Clark, over their roles within the incident.
“None of this should have happened, and I will not make excuses for it,” Khosrowshahi, stated in a weblog put up pronouncing the hack ultimate month.
Clark labored without delay for Sullivan but in addition reported to Uber’s felony and privateness group, in accordance to 3 other people acquainted with the association. It is unclear whether or not Clark knowledgeable Uber’s felony division, which generally treated disclosure problems.
Sullivan and Clark didn’t reply to requests for remark.
In an August interview with Reuters, Sullivan, a former prosecutor and Facebook Inc (FB.O) safety leader, stated he built-in safety engineers and builders at Uber “with our lawyers and our public policy team who know what regulators care about.”
Last week, 3 extra most sensible managers in Uber’s safety unit resigned. One of them, bodily safety leader Jeff Jones, later advised others he would have left anyway, assets advised Reuters. Another of the 3, senior safety engineer Prithvi Rai, later agreed to keep in a brand new position.
Reporting by means of Joseph Menn in San Francisco and Dustin Volz in Washington; Additional reporting by means of Heather Somerville and Stephen Nellis in San Francisco; Editing by means of Jonathan Weber and Bill Rigby