The ride-hailing company Uber revealed last month that hackers stole data on 57 million drivers and riders in October 2016. The breached data included personal information such as names, email addresses and driver’s license numbers, but not Social Security numbers and credit card information, the company said.
Uber also admitted that it paid $100,000 to the data thieves at the time to delete the information. But the company did not reveal any details about the hacker or how it paid him the money.
Sources familiar with the hack told Reuters that the payment was made through a program designed to reward bug hunters who report flaws in a company’s software. Uber’s bug bounty service is hosted by HackerOne, a company that connects security researchers with companies.
While three sources familiar with the hack told Reuters a Florida man was responsible, the news agency said it was unable to identify the man.
HackerOne CEO Marten Mickos said he could not discuss an individual customer’s programs. “In all cases when a bug bounty award is processed through HackerOne, we receive identifying information of the recipient in the form of an IRS W-9 or W-8BEN form before payment of the award can be made,” he said, referring to U.S. Internal Revenue Service forms.
Uber may also have broken a promise made in a Federal Trade Commission settlement to not mislead users about data privacy and security. Uber has declined to comment.
Uber CEO Dara Khosrowshahi fired two of Uber’s top security officials when he announced the breach last month, saying the incident should have been disclosed to regulators at the time it was discovered, about a year before.
It remains unclear who made the final decision to authorize the payment to the hacker and to keep the breach secret, though the sources said then-CEO Travis Kalanick was aware of the breach and bug bounty payment in November of last year. Kalanick, who stepped down as Uber CEO in June, declined to comment on the matter, according to his spokesman.