Uber hacker was 20-year-old man helping his mum pay bills


But now three people familiar with the events have told Reuters that Uber used its so-called "bug bounty" program normally used to identify small code vulnerabilities, to pay off the hacker (said to be an unidentified 20-year-old man in Florida).

Uber made the payment previous year through a program created to reward security researchers who report flaws in a company's software, these people said.

On 21 November Uber admitted it had suffered a hack back in October 2016 which saw the theft of personal information of 57 million customers and 600,000 drivers. HackerOne doesn't manage Uber's program. The bounty program is meant to reward security researchers who bring bugs to the company's attention so that a fix can be put into place. But the company did not reveal any information about the hacker or how it paid him the money. "Uber's delay to provide timely notice to affected individuals is inexcusable", Bondi says in the release.

Reuters claims to have other sources that revealed that the hacker in question was forced to sign a non-disclosure agreement as part of the deal and to have his machine undergo forensic analysis to ensure that the data has been fully deleted. Uber's bug bounty service - as such a program is known in the industry - is hosted by a company called HackerOne, which offers its platform to a number of tech companies.

More news: Recognising rights of all people in Holy Land essential - Pope
More news: Toys R Us plans to close 26 stores in the UK
More news: Mumbai rains: Schools, colleges closed as Cyclone Ockhi threat looms

Uber kept quiet about the breach and the details only came to light two weeks ago when new CEO Dara Khosrowshahi learnt about it, fired two of Uber's top security officials, went public with the news and noted that the company should have disclosed the breach to regulators.

A payment made of $100,000 through Uber's bug bounty program would be highly unusual, with one former executive of an online security company saying it would be the all-time record.

This all has a distinct whiff of bad practice about it, something which has plagued Uber of late, what with losing its London license and the rather nasty actions of former chief executive Travis Kalanick. He was identified as a 20-year-old living in Florida, but the sources did not reveal his name and Reuters admits it was unable to confirm his identity.

Uber is already under fire for not disclosing the hack earlier to authorities and could be hit with stiff financial penalties.