Technology EXCLUSIVE: Uber paid 20-year-old Florida man to keep data breach secret - sources

14:07  07 december  2017
14:07  07 december  2017 Source:   Reuters

What's Uber worth? 30% less says one report

  What's Uber worth? 30% less says one report Japanese investment company SoftBank is keen to take a big stake in Uber, but only at a fraction of the ride-hailing company's previous valuation.SoftBank would also plan to invest $1 billion in Uber at the $69 billion valuation, according to the report. At $10 billion, the investment would amount to one of the largest private stock sales in history.

By Joseph Menn and Dustin Volz SAN FRANCISCO/WASHINGTON (Reuters) – A 20 - year - old Florida man was responsible for the large data breach at Uber Technologies Inc last year and was paid by Uber to destroy the data through a

SAN FRANCISCO/WASHINGTON (Reuters) – A 20 - year - old Florida man was responsible for the large data breach at Uber Technologies Inc last year and was paid by Uber to destroy the data through a so-called “bug bounty” program normally used to identify small code vulnerabilities

FILE PHOTO: A photo illustration shows the Uber app on a mobile telephone, as it is held up for a posed photograph, in London, Britain November 10, 2017.© REUTERS/Simon Dawson/File Photo FILE PHOTO: A photo illustration shows the Uber app on a mobile telephone, as it is held up for a posed photograph, in London, Britain November 10, 2017. A 20-year-old Florida man was responsible for the large data breach at Uber Technologies Inc last year and was paid by Uber to destroy the data through a so-called "bug bounty" program normally used to identify small code vulnerabilities, three people familiar with the events have told Reuters.

Uber announced on Nov. 21 that the personal data of 57 million passengers and 600,000 drivers were stolen in a breach that occurred in October 2016, and that it paid the hacker $100,000 to destroy the information. But the company did not reveal any information about the hacker or how it paid him the money.

Uber says breach affected 815,000 Canadians

  Uber says breach affected 815,000 Canadians CALGARY - Uber Canada said late Monday that 815,000 Canadian riders and drivers may have been affected as part of its worldwide data breach announced in November. The disclosure came the same day the federal privacy commissioner said it had opened a formal investigation into the data breach, which saw the theft of information from some 57 million Uber accounts globally in October, 2016. Uber said the information taken includes names, email address, and mobile phone numbers from the accounts, but that its investigation has not identified any location history, credit card numbers, bank account numbers, or dates of birth were downloaded.

A 20 - year - old Florida man was responsible for the large data breach at Uber Technologies Inc last year and was paid by Uber to destroy the data through a so-called "bug bounty" programme normally used to identify small code vulnerabilities, three people familiar with the events have told Reuters.

SAN FRANCISCO/WASHINGTON (Reuters) - A 20 - year - old Florida man was responsible for the large data breach at Uber Technologies Inc [ UBER .UL] last year and was paid by Uber to destroy the data through a so-called "bug bounty" program normally used to identify small code vulnerabilities

Uber made the payment last year through a program designed to reward security researchers who report flaws in a company's software, these people said. Uber's bug bounty service - as such a program is known in the industry - is hosted by a company called HackerOne, which offers its platform to a number of tech companies.

Reuters was unable to establish the identity of the hacker or another person who sources said helped him. Uber spokesman Matt Kallman declined to comment on the matter.

Newly appointed Uber Chief Executive Dara Khosrowshahi fired two of Uber's top security officials when he announced the breach last month, saying the incident should have been disclosed to regulators at the time it was discovered, about a year before.

Uber Investor Sues Over Self-Driving Car Firm Acquisition

  Uber Investor Sues Over Self-Driving Car Firm Acquisition The suit, filed Wednesday by Uber investor Lenza McElrath III, comes as a California judge delayed until Jan. 31 a trial over trade-secret theft claims brought against Uber by Alphabet unit Waymo. McElrath accuses directors of ignoring “red flags” about the 2016 acquisition of Levandowski’s firm that amounted to “an improper and potentially criminal raiding of Google’s assets,” according to the complaint.Matt Kallman, an Uber spokesman, said executives were reviewing the suit and declined to comment on it.

SAN FRANCISCO/WASHINGTON (Reuters) - A 20 - year - old Florida man was responsible for the large data breach at Uber . It remains unclear who made the final decision to authorize the payment to the hacker and to keep the breach secret , though the sources said then-CEO Travis Kalanick was

SAN FRANCISCO/WASHINGTON - A 20 - year - old Florida man was responsible for the large data breach at Uber Technologies Inc last year and was paid by Uber to destroy the data through a so-called “bug bounty” program normally used to identify small code vulnerabilities

It remains unclear who made the final decision to authorize the payment to the hacker and to keep the breach secret, though the sources said then-CEO Travis Kalanick was aware of the breach and bug bounty payment in November of last year.

Kalanick, who stepped down as Uber CEO in June, declined to comment on the matter, according to his spokesman.

A payment of $100,000 through a bug bounty program would be extremely unusual, with one former HackerOne executive saying it would represent an "all-time record." Security professionals said rewarding a hacker who had stolen data also would be well outside the normal rules of a bounty program, where payments are typically in the $5,000 to $10,000 range.

HackerOne hosts Uber's bug bounty program but does not manage it, and plays no role in deciding whether payouts are appropriate or how large they should be.

HackerOne CEO Marten Mickos said he could not discuss an individual customer's programs. "In all cases when a bug bounty award is processed through HackerOne, we receive identifying information of the recipient in the form of an IRS W-9 or W-8BEN form before payment of the award can be made," he said, referring to U.S. Internal Revenue Service forms.

Uber apologizes after customer billed $18K for 21-minute ride

  Uber apologizes after customer billed $18K for 21-minute ride Uber is apologizing to customer who was charged more than $18,000 for a short ride in downtown Toronto. Photos posted on social media over the weekend showed that an Uber rider was billed $18,518.50 (AU$19,128.87) for a 21-minute Uber ride.An Uber spokesperson confirmed the incident, and says the rider had been fully refunded.Uber staff say the massive over-charge was a result of driver error, not a technical glitch.

SAN FRANCISCO/WASHINGTON (Reuters) - A 20 - year - old Florida man was responsible for the large data breach at Uber Technologies Inc [ UBER .UL] last year and was paid by Uber to destroy the data through a so-called "bug bounty" program normally used to identify small code vulnerabilities

SAN FRANCISCO/WASHINGTON, Dec 6 (Reuters) - A 20 - year - old Florida man was responsible for the large data breach at Uber Technologies Inc last year and was paid by Uber to destroy the data through a so-called "bug bounty" program normally used to identify small code vulnerabilities

According to two of the sources, Uber made the payment to confirm the hacker's identity and have him sign a nondisclosure agreement to deter further wrongdoing. Uber also conducted a forensic analysis of the hacker's machine to make sure the data had been purged, the sources said.

One source described the hacker as "living with his mom in a small home trying to help pay the bills," adding that members of Uber's security team did not want to pursue prosecution of an individual who did not appear to pose a further threat.

The Florida hacker paid a second person for services that involved accessing GitHub, a site widely used by programmers to store their code, to obtain credentials for access to Uber data stored elsewhere, one of the sources said.

GitHub said the attack did not involve a failure of its security systems. "Our recommendation is to never store access tokens, passwords, or other authentication or encryption keys in the code," that company said in a statement.

'SHOUT IT FROM THE ROOFTOPS'

Uber received an email last year from an anonymous person demanding money in exchange for user data, and the message was forwarded to the company's bug bounty team in what was described as Uber's routine practice for such solicitations, according to three sources familiar with the matter.

MPs give Equifax rough ride over breach

  MPs give Equifax rough ride over breach OTTAWA - MPs chastised an Equifax Canada executive Monday for not doing more to make amends to thousands of Canadians whose personal information was compromised by hackers. John Russo, chief privacy officer for the Canadian branch of the global credit-reporting firm, faced a barrage of pointed questions at a House of Commons committee over how the breach happened and the adequacy of the company's response. Russo unreservedly apologized for the lapse at Equifax's U.S. parent that affected 19,000 Canadians this year.© Provided by thecanadianpress.

SAN FRANCISCO/WASHINGTON (Reuters) - A 20 - year - old Florida man was responsible for the large data breach at Uber Technologies Inc [ UBER .UL] last year and was paid by Uber to destroy the data through a so-called “bug bounty” program normally used to identify small code vulnerabilities

SAN FRANCISCO/WASHINGTON (Reuters) - A 20 - year - old Florida man was responsible for the large data breach at Uber Technologies Inc last year and was paid by Uber to destroy the data through a so-called "bug bounty" program normally used to identify small code vulnerabilities

Bug bounty programs are designed mainly to give security researchers an incentive to report weaknesses they uncover in a company’s software. But complicated scenarios can emerge when dealing with hackers who obtain information illegally or seek a ransom.

Some companies choose not to report more aggressive intrusions to authorities on the grounds that it can be easier and more effective to negotiate directly with hackers in order to limit any harm to customers.

Uber's $100,000 payout and silence on the matter at the time was extraordinary under such a program, according to Luta Security founder Katie Moussouris, a former HackerOne executive.

"If it had been a legitimate bug bounty, it would have been ideal for everyone involved to shout it from the rooftops," Moussouris said.

Uber's failure to report the breach to regulators, even though it may have felt it had dealt with the problem, was an error, according to people inside and outside the company who spoke to Reuters.

"The creation of a bug bounty program doesn't allow Uber, their bounty service provider, or any other company the ability to decide that breach notification laws don't apply to them," Moussouris said.

Uber fired its chief security officer, Joe Sullivan, and a deputy, attorney Craig Clark, over their roles in the incident.

"None of this should have happened, and I will not make excuses for it," Khosrowshahi, said in a blog post announcing the hack last month.

Clark worked directly for Sullivan but also reported to Uber's legal and privacy team, according to three people familiar with the arrangement. It is unclear whether Clark informed Uber's legal department, which typically handled disclosure issues.

Sullivan and Clark did not respond to requests for comment.

In an August interview with Reuters, Sullivan, a former prosecutor and Facebook Inc security chief, said he integrated security engineers and developers at Uber "with our lawyers and our public policy team who know what regulators care about."

Last week, three more top managers in Uber's security unit resigned. One of them, physical security chief Jeff Jones, later told others he would have left anyway, sources told Reuters. Another of the three, senior security engineer Prithvi Rai, later agreed to stay in a new role.

(Reporting by Joseph Menn in San Francisco and Dustin Volz in Washington; Additional reporting by Heather Somerville and Stephen Nellis in San Francisco; Editing by Jonathan Weber and Bill Rigby)

Matt Lauer Accused of Sexual Harassment by Multiple Women (EXCLUSIVE) .
Matt Lauer Accused of Sexual Harassment by Multiple Women (EXCLUSIVE)On another day, he summoned a different female employee to his office, and then dropped his pants, showing her his penis. After the employee declined to do anything, visibly shaken, he reprimanded her for not engaging in a sexual act.

—   Share news in the SOC. Networks

Topical videos:

This is interesting!