Skip to main content

Uber used bug bounty program to launder blackmail payment to hacker

posted onDecember 7, 2017
by l33tdawg

In November, the CEO of Uber revealed that the company had paid a hacker $100,000 to delete data obtained from a 2016 breach in which 57 million Uber customers' and drivers' names, email addresses, and phone numbers were exposed. But the company did not reveal who the hacker was or how the payment was made.

A Reuters report now casts a bit more light on how the company concealed its blackmail payment—the money was paid out to an as-yet-unidentified Florida man through Uber's bug bounty program, now managed by HackerOne. How Uber officials confirmed the deletion of the data has not been revealed, and a number of US senators have asked for an investigation into the breach, citing questions about why Uber failed to contact law enforcement.

Uber's CEO, Dara Khosrowshahi, said in a blog post about the breach that "two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use," and that no payment data was exposed. But the driver's license data for about 600,000 Uber drivers was stolen, as was contact data for 57 million customers and drivers. "At the time of the incident," Khosrowshahi said, "we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts."

Source

Tags

Security Industry News

You May Also Like

Recent News

Tuesday, November 19th

Friday, November 8th

Friday, November 1st

Tuesday, July 9th

Wednesday, July 3rd

Friday, June 28th

Thursday, June 27th

Thursday, June 13th

Wednesday, June 12th

Tuesday, June 11th