Uber had used its bug bounty program to pay a Florida-based hacker $100,000 to wipe out all the data stolen from the ride-hailing service’s database last year, according to a new report by Reuters, citing sources with knowledge of the matter. The hacker is believed to have been the culprit behind a massive data breach in 2016 that compromised the personal information of some 57 million Uber drivers and riders. A tech company resorting to a bug bounty program as a way of paying a hacker who stole huge volumes of data isn’t standard industry practice, as this kind of initiatives is typically reserved to security researchers who identify code vulnerabilities in software and report their findings to its creators.
Chief Executive Officer Dara Khosrowshahi officially disclosed the breach and the bug bounty payment last month, though it was made last year, along with Uber’s disclosure that it fired its chief security officer, Joe Sullivan, over how he handled the data breach that took place in October 2016. According to recent reports, Uber made the payment to have the hacker delete all the stolen data without backing it up to avoid redistribution in the future, on conditions that the incident is kept secret from the public and regulators. The identity of the hacker remains unknown to anyone including Uber. Reuters’ report indicates that the bug bounty payment was meant to help establish the identity of the hacker in order to get him to sign an NDA with Uber, under which he would have been obliged to enter into a legal agreement with the firm to keep the stolen data secret and remain silent on the incident.
The ride-hailing company’s bug bounty program is hosted by HackerOne, which directly made the transaction on behalf of Uber, though it has no involvement in workings of the service otherwise, with all decisions on the matter being made by the startup itself. Insiders claim former Uber CEO Travis Kalanick knew about the incident but it’s unclear whether he authorized the payment or was even aware of it. This June, Kalanick resigned from Uber following a request from several investors who called for his ousting from the company he co-founded in 2009.