SAN FRANCISCO/WASHINGTON (Reuters) – A 20-year-old Florida man was liable for the big information breach at Uber Applied sciences Inc final yr and was paid by Uber to destroy the info by a so-called “bug bounty” program usually used to establish small code vulnerabilities, three folks acquainted with the occasions have informed Reuters.
Uber introduced on Nov. 21 that the private information of 57 million passengers and 600,000 drivers have been stolen in a breach that occurred in October 2016, and that it paid the hacker $100,000 to destroy the knowledge. However the firm didn’t reveal any details about the hacker or the way it paid him the cash.
Uber made the fee final yr by a program designed to reward safety researchers who report flaws in an organization’s software program, these folks stated. Uber’s bug bounty service – as such a program is understood within the business – is hosted by an organization referred to as HackerOne, which affords its platform to plenty of tech corporations.
Reuters was unable to ascertain the identification of the hacker or one other one who sources stated helped him. Uber spokesman Matt Kallman declined to touch upon the matter.
Newly appointed Uber Chief Government Dara Khosrowshahi fired two of Uber’s high safety officers when he introduced the breach final month, saying the incident ought to have been disclosed to regulators on the time it was found, a couple of yr earlier than.
It stays unclear who made the ultimate choice to authorize the fee to the hacker and to maintain the breach secret, although the sources stated then-CEO Travis Kalanick was conscious of the breach and bug bounty fee in November of final yr.
Kalanick, who stepped down as Uber CEO in June, declined to touch upon the matter, in keeping with his spokesman.
A fee of $100,000 by a bug bounty program could be extraordinarily uncommon, with one former HackerOne government saying it could symbolize an “all-time document.” Safety professionals stated rewarding a hacker who had stolen information additionally could be effectively exterior the conventional guidelines of a bounty program, the place funds are usually within the $5,000 to $10,000 vary.
HackerOne hosts Uber’s bug bounty program however doesn’t handle it, and performs no position in deciding whether or not payouts are applicable or how giant they need to be.
HackerOne CEO Marten Mickos stated he couldn’t talk about a person buyer’s packages. “In all instances when a bug bounty award is processed by HackerOne, we obtain figuring out data of the recipient within the type of an IRS W-9 or W-8BEN type earlier than fee of the award will be made,” he stated, referring to U.S. Inside Income Service kinds.
In response to two of the sources, Uber made the fee to verify the hacker’s identification and have him signal a nondisclosure settlement to discourage additional wrongdoing. Uber additionally carried out a forensic evaluation of the hacker’s machine to verify the info had been purged, the sources stated.
One supply described the hacker as “residing together with his mother in a small dwelling making an attempt to assist pay the payments,” including that members of Uber’s safety staff didn’t wish to pursue prosecution of a person who didn’t seem to pose an additional risk.
The Florida hacker paid a second individual for companies that concerned accessing GitHub, a website broadly utilized by programmers to retailer their code, to acquire credentials for entry to Uber information saved elsewhere, one of many sources stated.
GitHub stated the assault didn’t contain a failure of its safety techniques. “Our suggestion is to by no means retailer entry tokens, passwords, or different authentication or encryption keys within the code,” that firm stated in a press release.
‘SHOUT IT FROM THE ROOFTOPS’
Uber obtained an e mail final yr from an nameless individual demanding cash in change for person information, and the message was forwarded to the corporate’s bug bounty staff in what was described as Uber’s routine apply for such solicitations, in keeping with three sources acquainted with the matter.
Bug bounty packages are designed primarily to present safety researchers an incentive to report weaknesses they uncover in an organization’s software program. However difficult eventualities can emerge when coping with hackers who receive data illegally or search a ransom.
Some corporations select to not report extra aggressive intrusions to authorities on the grounds that it may be simpler and more practical to barter straight with hackers with a view to restrict any hurt to prospects.
Uber’s $100,000 payout and silence on the matter on the time was extraordinary beneath such a program, in keeping with Luta Safety founder Katie Moussouris, a former HackerOne government.
“If it had been a professional bug bounty, it could have been ultimate for everybody concerned to shout it from the rooftops,” Moussouris stated.
Uber’s failure to report the breach to regulators, though it might have felt it had handled the issue, was an error, in keeping with folks inside and out of doors the corporate who spoke to Reuters.
“The creation of a bug bounty program doesn’t permit Uber, their bounty service supplier, or some other firm the power to determine that breach notification legal guidelines don’t apply to them,” Moussouris stated.
Uber fired its chief safety officer, Joe Sullivan, and a deputy, legal professional Craig Clark, over their roles within the incident.
“None of this could have occurred, and I can’t make excuses for it,” Khosrowshahi, stated in a weblog publish saying the hack final month.
Clark labored straight for Sullivan but in addition reported to Uber’s authorized and privateness staff, in keeping with three folks acquainted with the association. It’s unclear whether or not Clark knowledgeable Uber’s authorized division, which generally dealt with disclosure points.
Sullivan and Clark didn’t reply to requests for remark.
In an August interview with Reuters, Sullivan, a former prosecutor and Fb Inc (FB.O) safety chief, stated he built-in safety engineers and builders at Uber “with our attorneys and our public coverage staff who know what regulators care about.”
Final week, three extra high managers in Uber’s safety unit resigned. Certainly one of them, bodily safety chief Jeff Jones, later informed others he would have left anyway, sources informed Reuters. One other of the three, senior safety engineer Prithvi Rai, later agreed to remain in a brand new position.
Reporting by Joseph Menn in San Francisco and Dustin Volz in Washington; Extra reporting by Heather Somerville and Stephen Nellis in San Francisco; Modifying by Jonathan Weber and Invoice Rigby