beebright - stock.adobe.com
The hacker responsible for the October 2016 data breach of Uber’s systems that affected 57 million user accounts, including an estimated 2.7 million in the UK, has been identified only as a 20-year-old man based in the US state of Florida.
The name of the hacker was “unavailable” from “three sources close to the events” that disclosed the other information, reports the Express.
It has also emerged that the $100,000 paid to the hacker in return for deleting the data was channelled through Uber’s bug bounty service, hosted by company HackerOne, which according to a former executive represents a record payment by the service.
The bug bounty service is aimed at encouraging security researchers to report any flaws that could be exploited by hackers against Uber, and typically pays between $5,000 and $10,000 for information that enables Uber to harden its cyber defences.
According to Marten Mickos, the CEO for HackerOne, in all cases when a bug bounty award is processed through HackerOne, the company receives identifying information of the recipient in the form of an IRS W-9 or W-8BEN form before payment of the award can be made.
Two sources told Reuters that Uber used HackerOne to confirm the 20 year old’s identity, and that he was asked to sign a non-disclosure agreement. Uber is also believed to have conducted a forensic analysis of the hacker’s computer to make sure that all data on the company had been wiped.
The data, which included names, email addresses and mobile phone numbers – but not trip location history, credit card and bank account numbers, and dates of birth – was downloaded from Amazon Web Services (AWS) storage using Uber’s log-in credentials stolen from a private area of the web-based GitHub version control repository for developers.
The 20-year-old man reportedly paid a second person involved for accessing GitHub. When the hacker approached Uber asking for money in exchange for the data he had accessed, it is unclear why he was directed to Uber’s bug bounty programme, why the authorities were not notified of the theft immediately, and who at Uber made the decision to finalise the payment.
However, Uber’s chief executive at the time, Travis Kalanick, is believed to have known about the breach.
Kate Moussouris, a former HackerOne executive, Luta Security founder and bug bounty advocate, said if the payment had been a legitimate bug bounty, it would have been ideal for everyone involved to shout it from the rooftops.
“The creation of a bug bounty program doesn’t allow Uber – their bounty service provider – or any other company the ability to decide that breach notification laws don’t apply to them,” she said.
When news of the breach emerged in November 2017, newly appointed Uber CEO, Dara Khosrowshahi, released a statement saying he was not aware of the 2016 incident until “recently”.
“None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” he said.
However, Khosrowshahi emphasised that the incident did not breach Uber’s corporate systems or infrastructure.
When Uber disclosed that an estimated 2.7 million UK driver and customer accounts had been affected, the Information Commissioner’s Office (ICO) said the exposed information on its own was unlikely to pose a direct threat.
However, deputy commissioner James Dipple-Johnstone said its use may make other scams, such as bogus emails or calls, appear more credible.
“People should continue to be vigilant and follow the advice from the National Cyber Security Centre [NCSC]. As part of our investigation, we are still waiting for technical reports which should give full confirmation of the figures and the type of personal data that has been compromised,” he added.
Dipple-Johnstone said the ICO expected Uber to begin to inform those affected as soon as possible, and reiterated that the NCSC, alongside other relevant UK authorities, was continuing to work to ensure the data of UK citizens was protected.
The UK government said in a statement that the new Data Protection Bill would grant the ICO further powers to defend consumer interests, and issue even higher fines of up to £18m, or 4% of an organisation’s global turnover in exceptional cases.