Uber Paid 20-year-old Florida Man To Keep Data Breach Secret

A 20-year-old Florida man was responsible for the large data breach at Uber last year and he was paid by the company to destroy the data through a so-called "bug bounty" program, three people familiar with the events have told Reuters. From the report: Uber announced on Nov. 21 that the personal data of 57 million users, including 600,000 drivers in the United States, were stolen in a breach that occurred in October 2016, and that it paid the hacker $100,000 to destroy the information. But the company did not reveal any information about the hacker or how it paid him the money. Uber made the payment last year through a program designed to reward security researchers who report flaws in a company's software, these people said. Uber's bug bounty service -- as such a program is known in the industry -- is hosted by a company called HackerOne, which offers its platform to a number of tech companies.

Re:

[volodymyrbiryuk]

Because old ass baby boomers need to blame millenials to feel better about themselves.

Re:

[OzPeter]

You mean now there's even hated between age groups?

With ignorance like that I'd peg you as being one of those ignorant and self absorbed millennials.

Re:

[shaitand]

How do you sell conquest and murder? Call it liberation and spreading freedom.
How do you buck a powerful system implementing policies contrary to your profit interests and replace it with one where you have more power to shape policies to increase your profit? Call it tyrannical and get people to commit suicide and murder to "free" themselves of that "oppression".
How do you get people to support one group systematically getting the better end of the stick in trade? Call everything that results in your side

Re:

[irving47]

It could be argued that it's part of the "who"... Especially if they can't identify the person by name.

Re:

[SeaFox]

Why do these stories treat age as a relevant thing to the topic on hand?

Probably to make some commentary on how poor Uber's security was. They're pointing out some random young guy was able to do it (as opposed to a "mature security researcher with decades of experience").

Doesn't sound like they got their money's worth

[JoeyRox]

Considering we're now talking about the breach they paid to keep secret.

Re:Doesn't sound like they got their money's worth

[geekmux]

Considering we're now talking about the breach they paid to keep secret.

The revenue generated from operating for months without the public knowing about a breach likely made it worth it.

If unethical behavior is proven to be profitable in the face of pathetic slap-on-the-wrist fines, then unethical behavior will be the default behavior. This is the reason we're seeing such a dismantling of ethics in large business today. When doing the wrong thing is worth it, don't expect people to do the right thing.

Re:Doesn't sound like they got their money's worth

[klingens]

No it was simple extortion in a way the parties involved can claim it isn't extortion.

Uber has a bug bounty program.
Guy hacks Uber and steals customer's data.
Uber then pays the guy to destroy data instead of selling it on some black market.
So that Uber isn't seen as paying ransom, they pay a bug bounty instead. Also the money being declared "bug bounty" clears the guy of being an extortionist or hacker, so the guy is in the clear regarding the CFAA (Computer Fraud and Abuse Act) and the unlawful hacking is retroactively legitimized.

Re:

[geekmux]

No it was simple extortion in a way the parties involved can claim it isn't extortion.

Uber has a bug bounty program. Guy hacks Uber and steals customer's data. Uber then pays the guy to destroy data instead of selling it on some black market. So that Uber isn't seen as paying ransom, they pay a bug bounty instead. Also the money being declared "bug bounty" clears the guy of being an extortionist or hacker, so the guy is in the clear regarding the CFAA (Computer Fraud and Abuse Act) and the unlawful hacking is retroactively legitimized.

Other than a lack of an upfront NDA, there is very little difference between this scenario and a security consultant being hired for red team testing. In both cases, a company has agreed to pay an amount of money to someone for finding their vulnerabilities. When a company is willing to pay, it's not extortion.

If corporations still feel that bug bounty payouts are "extortion", then get rid of the program and take your chances with the FBI. It's that simple.

Re:

[swillden]

Other than a lack of an upfront NDA, there is very little difference between this scenario and a security consultant being hired for red team testing.

Bug bounties aren't typically done under any sort of upfront NDA either. So I think the only real difference between this and business as usual is that Florida Man downloaded a bunch of company data. Normal ethical hackers would find the vulnerability and then report it without using it. At most they might do a small test to verify that it is exploitable the way they think it is, but they wouldn't proceed to access data they should not have.

Re: Doesn't sound like they got their money's wort

[Wycliffe]

If a security researcher found a bug and refused to disclose it without being paid, I would probably not consider this extortion even if they downloaded all the records.
I also wouldn't consider it extortion if they threatened to disclose the bug or even sell the bug.
Where it crosses the line is if they threaten to sell or give away those records if they don't get paid.

Re:

[geekmux]

Other than a lack of an upfront NDA, there is very little difference between this scenario and a security consultant being hired for red team testing.

Bug bounties aren't typically done under any sort of upfront NDA either.

Either? When I spoke of the lack of an NDA, I was specifically referring to one party here; the bug bounty hacker. I certainly hope an organization wouldn't be stupid enough to contract a security consultant for pen test/red team work without an NDA in place every time.

So I think the only real difference between this and business as usual is that Florida Man downloaded a bunch of company data. Normal ethical hackers would find the vulnerability and then report it without using it. At most they might do a small test to verify that it is exploitable the way they think it is, but they wouldn't proceed to access data they should not have.

Perhaps the test result data set was a bit larger than the average, but "small test" can be completely subjective. And to be honest, if I were being proactive about this and hiring a security consultant, I probably wouldn't tell them to ho

Re:

[klingens]

In a bug bounty you show the company the bug and they pay you. Done.
You do not download millions of customer datasets first. At most you download one or a few as a PoC, preferably your own actually. Not Millions! Somewhere between 1 and 57 million, it goes from PoC to outright criminal theft.

Delete the Hacker.

[Anonymous Coward]

A Hit Man is probably about $25k

 

Breach?

[Bert64]

If this guy was the only one who accessed the data, and he did so under a bug bounty program for which he got paid (and presumably signed an nda) then it's not really a breach at all?

The data was basically accessed by a paid contractor who's under NDA, business as usual and happens all the time.

Re:

[Anonymous Coward]

If this guy was the only one who accessed the data, and he did so under a bug bounty program for which he got paid (and presumably signed an nda) then it's not really a breach at all?

The data was basically accessed by a paid contractor who's under NDA, business as usual and happens all the time.

Well, this does look a bit like a gray area based on the sequence of events. He wasn't under specific contract before the hack... unless of course there is something in the bug bounty program that covers this under a ToS and he was working under that ToS. It really depends on facts not being reported... like whether the hacker actually demanded payment before destroying the company data or if destroying any company data was merely a clause in the contract for the bug bounty program.

Re:

[Anonymous Coward]

Except a paid contractor will delete the data or be sued to death.

"Florida Man" likely did not delete the data, and put it into cold storage.

Re:

[BlueCoder]

I was about to say the same thing. Unless there was a clear threat to release or sell the "information" (not the hack) to other parties this was ethical hacking. If he did the hack and hadn't come forward until tracked down then it would be another matter.

I think the writing is on the wall that all ethical hackers need to be represented by lawyers and one or more companies that specialize in this sort of thing and that can keep their names clear. It's not extortion. It's grey just like if you do a private a

Sounds like they paid a ransom that went sideways.

[Last_Available_Usern]

Seems like they used a rather legit way of paying a ransom to get him to sweep it under the rug. At least, that's how it appears to me.

Florida Man has many talents

[Ayano]

Sorry, I couldn't resist.

bitcoin?

[Anonymous Coward]

it paid the hacker $100,000 to destroy the information. But the company did not reveal any information about the hacker or how it paid him the money

I hope they paid the hacker in bitcoin. He would be a very happy camper right now.

Captcha: audits

Bug bounty program works.

[roc97007]

News at 11.

Lesson learned

[Brockmire]

The first day of my first job out of college, the CEO said to me, "how do you get a tire through an embargo? Tie a rope around it and call it a swing". I treat that as the first sign he was a fraud to stay away from.