In November, the CEO of Uber revealed that the company had paid a hacker $100,000 to delete data obtained from a 2016 breach in which 57 million Uber customers' and drivers' names, email addresses, and phone numbers were exposed. But the company did not reveal who the hacker was or how the payment was made.
A Reuters report now casts a bit more light on how the company concealed its blackmail payment—the money was paid out to an as-yet-unidentified Florida man through Uber's bug bounty program, now managed by HackerOne. How Uber officials confirmed the deletion of the data has not been revealed, and a number of US senators have asked for an investigation into the breach, citing questions about why Uber failed to contact law enforcement.
Uber's CEO, Dara Khosrowshahi, said in a blog post about the breach that "two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use," and that no payment data was exposed. But the driver's license data for about 600,000 Uber drivers was stolen, as was contact data for 57 million customers and drivers. "At the time of the incident," Khosrowshahi said, "we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts."
Khosrowshahi said he had only recently learned of the breach and had ordered an internal investigation. Two unidentified security team members at Uber who dealt with the breach were fired.
HackerOne's public statistics on the Uber bounty program show that Uber has paid out $1,289,595 in bounties over the life of the program so far, including one for the $10,000 maximum specified by Uber to a UK-based researcher for critical bugs. But there are no public payment details for HackerOne profiles that amount to the $100,000 Uber reports to have paid for the data destruction or any string of bounties to a single person that add up to that amount, so it's clear the payment wasn't made through the public HackerOne program. A former HackerOne official told Reuters' Joseph Menn and Dustin Volz that such a payment would amount to an "all-time record" payment through a bug bounty program.
Casey Ellis, founder and CTO of the bug bounty management company BugCrowd, expressed concern about how a company could pass off a blackmail payment as a bug bounty program without raising concerns or alarms. "From an ethical standpoint," Ellis said, "this development creates confusion and potentially damages the growth of the researcher/vendor relationship—despite the fact that it was clearly an extortion payout, and not a true Bug Bounty payout."
A HackerOne spokesperson told Ars that the company had no comment on the matter. Uber also is not commenting on the Reuters story. But using a bug bounty in this way would not be the first of Uber's ethically questionable (and in some cases legally questionable) technology shenanigans, including creating fake user accounts on competitor Lyft's system to help mine driver and pricing data in an attempt to identify which drivers worked for both Uber and Lyft.