A 20-year-old Florida man who lives with his mother was responsible for a breach of 57 million Uber users’ details last year, according to a new report.
Three people familiar with the incident told Reuters that the controversial ride hailing service made the $100,000 payment to hush up the breach through its bug bounty program, run by HackerOne.
However, that sum is at least 10-times greater than the usual payments that would be made through the program.
Uber is said to have made the payment in order to confirm the identity of the hacker — which is still unknown — and remarkably have him sign a non-disclosure agreement (NDA) to prevent future raids.
The hacker’s PC was apparently also analyzed by Uber to confirm all the data had been deleted. However, there will still be question marks over the validity of an NDA struck with a cyber-criminal, and whether or not the individual still holds the data on another device.
It’s claimed the Florida man, described by one source as “living with his mom in a small home trying to help pay the bills”, paid a second person to access the Uber GitHub account in which were stored the firm’s Amazon Web Services credentials.
CEO Dana Khosrowshahi shocked the world when he revealed last month that the firm had failed to notify the authorities of a major breach last year.
The affected parties include 600,000 US drivers and 2.7 million UK riders and drivers, although these are only estimates.
The incident could harm Uber’s chances of overturning a decision by Transport for London (TfL) in September to revoke its private operator license for the capital after claiming it was “not fit and proper” to hold one.
An estimated 3.5 million Londoners and 40,000 drivers use the app.