Uber paid 20-year-old man to hide hack, destroy data

File Photo
Uber reportedly paid a hacker from Florida $100,000 under the guise of a bug bounty program to keep quiet about a data breach which exposed information belonging to 57 million users.
According to three unnamed sources, as reported by Reuters, a 20-year-old was responsible for the catastrophic data breach, rather than a sophisticated group or state-sponsored team.
More security news
A popular virtual keyboard app leaks 31 million users’ personal data
Industrial firms fail to adopt basic security measures against hackers
US says it doesn’t need secret court’s approval to ask for encryption backdoors
A giant botnet behind one million malware attacks a month just got shut down
The data breach came to light in November, in which the names, email addresses, and phone numbers of 57 million Uber users worldwide were stolen, including 600,000 drivers’ license copies.
The breach, dating back to 2016, was apparently caused after hackers compromised a private GitHub repository and harvested engineering credentials later used to access an Amazon Web Services (AWS) account and the information stored within.
Last month, Uber CEO Dara Khosrowshahi confirmed the breach, saying that “we have to be honest and transparent as we work to repair our past mistakes.”
The hackers in question were paid $100,000 to delete the information and keep quiet under the guise of the legitimate bug bounty program offered by Uber on the HackerOne bug bounty platform.
However, according to Reuters, it was one lone wolf — and a young US citizen at that — who was responsible.
Under the terms of the deal, the unnamed man had to sign a nondisclosure agreement, agree not to compromise Uber again, and the company also conducted a forensic examination of his machine to make sure the data had been purged.
Speaking to the publication, one source described the hacker as “living with his mom in a small home trying to help pay the bills.”
Regulators were not informed of the incident at the time of the breach.
When a valid vulnerability is discovered and submitted through a bug bounty program, there is usually a public disclosure and often a technical explanation of the problem to promote news of the fix and to encourage other researchers to take an interest.
In addition, most rewards — even for the most critical issues — rarely earn bug bounty hunters such an amount.
You can potentially understand the panic and attempt to hush it up — especially in light of how much controversy Uber has courted in the past few years — but with the information of so many users at stake who trust the company, this is a terrible failure and was a huge mistake which may be extremely difficult to recover from.
ZDNet has reached out to Uber and will update if we hear back.
Best gifts: Top tech for co-workers
SEE FULL GALLERY
1 – 5 of 21
系统被爆出安全漏洞后,要积极利用这一事件,借助媒体通知用户详情,快速发布修复程序以及教育受影响用户才是负责任的组织该走的正道。

NEXT
PREV
Previous and related coverageUber inks deal with Volvo for fleet of self-driving cars Taxify vs Uber: Why the ride-hailing rivalry is set to intensify over drivers and fares Uber working with NASA to make flying taxis a reality
Related Topics:
Security TV
网络信息安全小曲
Data Management
安全是相对的,犯罪份子也会利用一些安全机制来糊弄消费者,说到底,这些安全机制是工具,好人可以用,坏人也当然可以用。

猜您喜欢

拓展海外,文化上的沟通和融合需从这里开始:
一个信息安全动画小故事,随意丢弃损毁的U盘,被保洁员拾走,泄了密……
网络安全法培训短片
缺乏IT安全意识可能造成巨额代价
GOSNET ACFEA
信息安全意识教育动画——我在多利宝里的钱哪儿去了?