Uber used bug bounty program to launder blackmail payment to hacker

In November, the CEO of Uber revealed that the company had paid a hacker $100,000 to delete data obtained from a 2016 breach in which 57 million Uber customers' and drivers' names, email addresses, and phone numbers were exposed. But the company did not reveal who the hacker was or how the payment was made.

A Reuters report now casts a bit more light on how the company concealed its blackmail payment—the money was paid out to an as-yet-unidentified Florida man through Uber's bug bounty program, now managed by HackerOne. How Uber officials confirmed the deletion of the data has not been revealed, and a number of US senators have asked for an investigation into the breach, citing questions about why Uber failed to contact law enforcement.

Uber's CEO, Dara Khosrowshahi, said in a blog post about the breach that "two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use," and that no payment data was exposed. But the driver's license data for about 600,000 Uber drivers was stolen, as was contact data for 57 million customers and drivers. "At the time of the incident," Khosrowshahi said, "we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts."