• Latest
  • Trending
Uber driver partners to be licensed as transport operators

20-year-old paid to keep data breach secret – Uber

December 7, 2017
Pfizer vaccine only slightly less effective against key South African mutations – Study

Undocumented migrants and vaccination in South Africa question

February 26, 2021
Red Cross postpones aid convoys after Aleppo attack

Syrian migrant sets sights on seat in German parliament

February 26, 2021
R15.5BN PAID BACK TO SOUTH AFRICANS IN TAX RETURNS

R3 billion investment into SARS is warning to taxpayers in South Africa

February 26, 2021

Libyan Prime Minister-designate proposes unity government plan

February 26, 2021
Zimbabwe has begun the process of acquiring COVID-19 vaccines: Vice President

Israel freezes programme to send vaccines abroad, defence minister says

February 26, 2021
Mkhize determined to get to bottom of VBS ‘corruption’

AstraZeneca deal was sealed before new variant in SA: Mkhize

February 10, 2021
Zuma no-confidence motion set for Thursday – South Africa parliament

COVID-19 direct response should form the basis of Ramaphosa’s SONA: ANC

February 10, 2021
J&J applies for COVID-19 vaccine emergency authorisation from SA

J&J applies for COVID-19 vaccine emergency authorisation from SA

February 10, 2021
All systems go for 6th Parliament SONA

Job opportunities will come, Ramaphosa tells labour federations

February 2, 2021
AstraZeneca vaccine to undergo quality assurance checks before rollout: Mkhize

AstraZeneca vaccine to undergo quality assurance checks before rollout: Mkhize

February 1, 2021
Portfolio Committee on Health notes poor record keeping at Tembisa Hospital

Portfolio Committee on Health notes poor record keeping at Tembisa Hospital

February 1, 2021
Algeria says it has discussed with Russia about producing Moscow’s Sputnik V vaccine

Algeria says it has discussed with Russia about producing Moscow’s Sputnik V vaccine

February 1, 2021
  • Latest
    • Community
    • Africa
    • International
  • Sport
  • Business
    • Finance
    • Technology
    • Motoring
  • People
    • Opinions
    • Health
  • Politics
  • Media
    • Entertaiment
    • Social Media
    • Media
  • Public Statement
Sunday, March 7, 2021
  • Login
TP
  • Latest
    • Community
    • Africa
    • International
  • Sport
  • Business
    • Finance
    • Technology
    • Motoring
  • People
    • Opinions
    • Health
  • Politics
  • Media
    • Entertaiment
    • Social Media
    • Media
  • Public Statement
No Result
View All Result
  • Latest
    • Community
    • Africa
    • International
  • Sport
  • Business
    • Finance
    • Technology
    • Motoring
  • People
    • Opinions
    • Health
  • Politics
  • Media
    • Entertaiment
    • Social Media
    • Media
  • Public Statement
No Result
View All Result
TownPress
No Result
View All Result
Home Technology

20-year-old paid to keep data breach secret – Uber

December 7, 2017
in Technology
0
Uber driver partners to be licensed as transport operators
161
SHARES
798
VIEWS
Share on FacebookShare on Twitter

SAN FRANCISCO/WASHINGTON – A 20-year-old Florida man was responsible for the large data breach at Uber Technologies Inc [UBER.UL] last year and was paid by Uber to destroy the data through a so-called “bug bounty” program normally used to identify small code vulnerabilities, three people familiar with the events have told Reuters.

Uber announced on Nov. 21 that the personal data of 57 million users, including 600,000 drivers in the United States, were stolen in a breach that occurred in October 2016, and that it paid the hacker $100,000 (R 1 356 170.00)to destroy the information. But the company did not reveal any information about the hacker or how it paid him the money.

Uber made the payment last year through a program designed to reward security researchers who report flaws in a company’s software, these people said. Uber’s bug bounty service – as such a program is known in the industry – is hosted by a company called HackerOne, which offers its platform to a number of tech companies.

The identity is unable to be establish of the hacker or another person who sources said helped him. Uber spokesman Matt Kallman declined to comment on the matter.

Newly appointed Uber Chief Executive Dara Khosrowshahi fired two of Uber’s top security officials when he announced the breach last month, saying the incident should have been disclosed to regulators at the time it was discovered, about a year before.

It remains unclear who made the final decision to authorize the payment to the hacker and to keep the breach secret, though the sources said then-CEO Travis Kalanick was aware of the breach and bug bounty payment in November of last year.

Kalanick, who stepped down as Uber CEO in June, declined to comment on the matter, according to his spokesman.

A payment of $100,000(R 1 356 170.00) through a bug bounty program would be extremely unusual, with one former HackerOne executive saying it would represent an “all-time record.” Security professionals said rewarding a hacker who had stolen data also would be well outside the normal rules of a bounty program, where payments are typically in the $5,000 (R67 811.25) to $10,000(R135 617.00) range.

HackerOne hosts Uber’s bug bounty program but does not manage it, and plays no role in deciding whether payouts are appropriate or how large they should be.

Read more: Uber paid hackers to cover up massive data breach

HackerOne CEO Marten Mickos said he could not discuss an individual customer’s programs. “In all cases when a bug bounty award is processed through HackerOne, we receive identifying information of the recipient in the form of an IRS W-9 or W-8BEN form before payment of the award can be made,” he said, referring to U.S. Internal Revenue Service forms.

Read more:Uber bullish on Africa despite opposition from local taxi firms

According to two of the sources, Uber made the payment to confirm the hacker’s identity and have him sign a nondisclosure agreement to deter further wrongdoing. Uber also conducted a forensic analysis of the hacker’s machine to make sure the data had been purged, the sources said.

One source described the hacker as “living with his mom in a small home trying to help pay the bills,” adding that members of Uber’s security team did not want to pursue prosecution of an individual who did not appear to pose a further threat.

The Florida hacker paid a second person for services that involved accessing GitHub, a site widely used by programmers to store their code, to obtain credentials for access to Uber data stored elsewhere, one of the sources said.

GitHub said the attack did not involve a failure of its security systems. “Our recommendation is to never store access tokens, passwords, or other authentication or encryption keys in the code,” that company said in a statement.

Read more: Three Uber security manager resign after CEO criticizes

‘SHOUT IT FROM THE ROOFTOPS’

Uber received an email last year from an anonymous person demanding money in exchange for user data, and the message was forwarded to the company’s bug bounty team in what was described as Uber’s routine practice for such solicitations, according to three sources familiar with the matter.

Bug bounty programs are designed mainly to give security researchers an incentive to report weaknesses they uncover in a company’s software. But complicated scenarios can emerge when dealing with hackers who obtain information illegally or seek a ransom.

Some companies choose not to report more aggressive intrusions to authorities on the grounds that it can be easier and more effective to negotiate directly with hackers in order to limit any harm to customers.

Uber’s $100,000 (R 1 356 170.00)payout and silence on the matter at the time was extraordinary under such a program, according to Luta Security founder Katie Moussouris, a former HackerOne executive.

“If it had been a legitimate bug bounty, it would have been ideal for everyone involved to shout it from the rooftops,” Moussouris said.

Uber’s failure to report the breach to regulators, even though it may have felt it had dealt with the problem, was an error, according to people inside and outside the company who spoke to Reuters.

“The creation of a bug bounty program doesn’t allow Uber, their bounty service provider, or any other company the ability to decide that breach notification laws don’t apply to them,” Moussouris said.

Uber fired its chief security officer, Joe Sullivan, and a deputy, attorney Craig Clark, over their roles in the incident.

“None of this should have happened, and I will not make excuses for it,” Khosrowshahi, said in a blog post announcing the hack last month.

Clark worked directly for Sullivan but also reported to Uber’s legal and privacy team, according to three people familiar with the arrangement. It is unclear whether Clark informed Uber’s legal department, which typically handled disclosure issues.

Sullivan and Clark did not respond to requests for comment.

In an August, Sullivan a former prosecutor and Facebook Inc (FB.O) security chief, said he integrated security engineers and developers at Uber “with our lawyers and our public policy team who know what regulators care about.”

Last week, three more top managers in Uber’s security unit resigned. One of them, physical security chief Jeff Jones, later told others he would have left anyway, sources told Reuters. Another of the three, senior security engineer Prithvi Rai, later agreed to stay in a new role.

(The story is refiled to correct to 57 million users in second paragraph, showing figure is for both passengers and drivers.)

Comments

Tags: CEO Marten MickosCraig ClarkHackOneJoe SullivanMatt KallmanUber
Share65Tweet40Share11Share16Send
Previous Post

Coalition talks in German

Next Post

ANC will have successful transition, says Zuma

Next Post
Ghana president faces outcry over plagiarism in inaugural speech

ANC will have successful transition, says Zuma

Please login to join discussion
No Result
View All Result
Currently Playing

SAElections2019 Indelible Ink & Election Fraud

SAElections2019 Indelible Ink & Election Fraud

00:01:40

Why would Mampintsha assault Babes Wodumo?

00:00:40

Alph Lukau “raising the dead” is a fraud

00:01:36

Moozlie Mabena involved in a live video crash

00:00:58

Welkom Hijack Man shot in parking lot

00:01:04

Female theft suspects tries to evade guards at Clear Water Mall

00:01:48

Franchise Driver on duty with sex worker

00:00:47

Courageous female driver attack hjackers on driveway

00:01:33

University of Zululand Student stabbed to death by roommate

00:00:41

Vehicle High Jacking on Cedar road, Midrand

00:01:57

Watch thief steal a Hilux in Bloemfontein

00:01:05

Watch Mosque Shoe snatchers in action

00:00:43

Watch these Unbelievable Shoplifters Caught with the Loot

00:03:13

Journalist attacked by EFF Floyd Shivambu and security details

00:00:43

Attempted cash in transit heist by DSTV office in Randburg

00:00:48

KFM Presenters and the Three Rs Blunder

00:00:59

SAPS Higspeed chase

00:01:08

Ruthless home invaders in westrand

00:01:30

Dj Khomza bashes girlfriend with a spanner

00:01:56

Daybreak Robbery in Auckland Park

00:01:15

Fake Police arrested in Johannesburg

00:01:00

#MduduziManana assault video at Cubana

00:00:29

Racial assault of couple at KFC montana

00:01:22

Smart Porsche driver escapes hijackers in Johannesburg

00:00:49

VW Polo Hijack at Kempton Park filling station

00:02:13

Women caught husband cheating and jumps on Carhood

00:02:02

Carlton Centre, Joburg Heist

00:01:06

Did Malema call Mandela a Sellout ?

00:02:01

Petrol Attendant beat up a man

00:01:01

Car Hijack gone wrong

00:02:15

Armed robbery in Alberton

00:00:52

Mother and son in Polokwane attacked by panga wielding robbers

00:02:04

Hyundai i10 Hijacking in Chatsworth

00:00:59

Check more Videos on Youtube

Connect

Connect
TownPress

Copyright © 2021 Townpress.

Navigate Site

  • Terms and conditions
  • About Us
  • Subscription
  • Contact
  • Account

Follow Us

No Result
View All Result
  • Latest
    • Community
    • Africa
    • International
  • Sport
  • Business
    • Finance
    • Technology
    • Motoring
  • People
    • Opinions
    • Health
  • Politics
  • Media
    • Entertaiment
    • Social Media
    • Media
  • Public Statement

Copyright © 2021 Townpress.

Welcome Back!

Login to your account below

Forgotten Password?

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

Go to mobile version
This site uses cookies to improve user experience: Find out more.