In November, the CEO of Uber published that the corporate had paid a hacker $100,000 to delete knowledge acquired from a 2016 breach during which 57 million Uber shoppers’ and drivers’ names, e mail addresses, and call numbers had been uncovered. However the corporate didn’t divulge who the hacker used to be or how the fee used to be made.
A Reuters document now casts somewhat extra mild on how the corporate hid its blackmail fee—the cash used to be paid out to an as-yet-unidentified Florida guy via Uber’s malicious program bounty program, now controlled through HackerOne. How Uber officers showed the deletion of the knowledge has no longer been published, and plenty of US senators have requested for an investigation into the breach, bringing up questions on why Uber did not touch regulation enforcement.
Uber’s CEO, Dara Khosrowshahi, mentioned in a weblog submit concerning the breach that “two folks out of doors the corporate had inappropriately accessed consumer knowledge saved on a third-party cloud-based provider that we use,” and that no fee knowledge used to be uncovered. However the driving force’s license knowledge for roughly 600,000 Uber drivers used to be stolen, as used to be touch knowledge for 57 million shoppers and drivers. “On the time of the incident,” Khosrowshahi mentioned, “we took fast steps to safe the knowledge and close down additional unauthorized get admission to through the folks. We due to this fact known the folks and acquired assurances that the downloaded knowledge have been destroyed. We additionally applied security features to limit get admission to to and make stronger controls on our cloud-based garage accounts.”
Khosrowshahi mentioned he had simplest just lately realized of the breach and had ordered an inside investigation. Two unidentified safety workforce contributors at Uber who handled the breach had been fired.
HackerOne’s public statistics at the Uber bounty program display that Uber has paid out $1,289,595 in bounties over the lifetime of this system to this point, together with one for the $10,000 most laid out in Uber to a UK-based researcher for essential insects. However there aren’t any public fee main points for HackerOne profiles that quantity to the $100,000 Uber stories to have paid for the knowledge destruction or any string of bounties to a unmarried individual that upload as much as that quantity, so it is transparent the fee wasn’t made throughout the public HackerOne program. A former HackerOne professional informed Reuters’ Joseph Menn and Dustin Volz that this sort of fee would quantity to an “all-time file” fee via a malicious program bounty program.
Casey Ellis, founder and CTO of the malicious program bounty control corporate BugCrowd, expressed worry about how an organization may just go off a blackmail fee as a malicious program bounty program with out elevating considerations or alarms. “From a moral perspective,” Ellis mentioned, “this construction creates confusion and doubtlessly damages the expansion of the researcher/seller dating—even supposing it used to be obviously an extortion payout, and no longer a real Trojan horse Bounty payout.”
A HackerOne spokesperson informed Ars that the corporate had no remark at the topic. Uber additionally isn’t commenting at the Reuters tale. However the usage of a malicious program bounty on this approach would no longer be the primary of Uber’s ethically questionable (and in some circumstances legally questionable) era shenanigans, together with growing pretend consumer accounts on competitor Lyft’s machine to assist mine driving force and pricing knowledge in an try to determine which drivers labored for each Uber and Lyft.