SAN FRANCISCO–Data breaches are frequently attributed to cybercrooks backed by governments, such as China or Russia, but one new report suggests the hack on Uber was by a young man who lives with his mother.
Experts say the November breach at Uber Technologies, which involved records on more than 57 million users and 600,000 drivers, was perpetrated by a 20-year-old man in Florida. No arrests have been made, although Uber paid the hacker at least $100,000 to destroy the stolen information as part of a so-called “bug bounty.”
Uber made the payment last year through a bug bounty program designed to reward security researchers who report flaws in a company’s software, according to Reuters. Reuters said the reward was paid through a service hosted by a company called HackerOne, which offers its platform to a number of tech companies.
HackerOne CEO Marten Mickos told Reuters he could not discuss an individual customer’s programs, but did say, “In all cases when a bug bounty award is processed through HackerOne, we receive identifying information of the recipient in the form of an IRS W-9 or W-8BEN form before payment of the award can be made.”
Reuters quoted two sources as saying Uber made the payment to confirm the hacker’s identity and have him sign a nondisclosure agreement to deter further wrongdoing. Uber also conducted a forensic analysis of the hacker’s machine to make sure the data had been purged, the sources told Reuters.
Far from being a nation-backed cyberhacking ring, Reuters said one source described the hacker as “living with his mom in a small home trying to help pay the bills.” The Florida hacker allegedly paid a second person for services that involved accessing GitHub, a site widely used by programmers to store their code, to obtain credentials for access to Uber data stored elsewhere.