More details are coming to light about Uber's huge data breach. Reuters is reporting that a 20-year-old Florida man was behind the 2016 extortion-oriented cyberattack and was paid through the firm's bug bounty program. We know that the individual, whose identity Uber refuses to disclose, received $100,000 for destroying the info, which exposed the personal data of roughly 57 million customers and drivers. The ride-hailing firm then kept quiet about the breach for more than a year. You can bet Congress and the five states investigating Uber will be paying close attention to any new nuggets of info.
Bug bounties (where compensation is offered to hackers who find vulnerabilities) are commonplace within tech circles -- everyone from Apple to Samsung utilizes them. And, while highly-publicized rewards of up to $200,000 are the norm, it's rare that the largest sum is dispensed to any one person. Making Uber's $100,000 silent payout an all-time record for HackerOne, the firm that hosts Uber's bug bounty program, according to a former exec who spoke to Reuters.
The Florida hacker, described in the report as "living with his mom," reportedly paid a second individual for help accessing GitHub's resources to procure credentials for Uber data stored elsewhere.
Upon divulging the breach last month, the company fired chief security officer Joe Sullivan and one of his deputies, senior lawyer Craig Clark, for covering up the breach. But Reuters sources claim the coverup went straight to the top of the food chain to former CEO Travis Kalanick. Both Uber and Kalanick refused to comment.