Last year, Uber was hacked. Over 57 million passengers and 600,000 drivers had their personal information stolen by a 20-year-old hacker from Florida. According to three people talking to Reuters, the company paid the hacker $100,000 in a “bug bounty” program.
Under normal circumstances, these bug bounties are intended to encourage hackers to find vulnerabilities. In this case, the hacker exploited the vulnerability, then was put into the bug bounty program so his ransom could be paid. In layman’s terms, the Uber executives who knew about the breach used the bug bounty so they could pay it and pretend it was all part of IT security protocol. They didn’t want to admit they were hacked and likely wouldn’t have admitted it if an investigation by the board last month hadn’t revealed it.
Newly appointed Uber Chief Executive Dara Khosrowshahi fired two of Uber’s top security officials when he announced the breach last month, saying the incident should have been disclosed to regulators at the time it was discovered, about a year before.
It remains unclear who made the final decision to authorize the payment to the hacker and to keep the breach secret, though the sources said then-CEO Travis Kalanick was aware of the breach and bug bounty payment in November of last year.
The company, while still on top of the ridesharing industry, has faced setbacks, lawsuits, and fierce competition chasing them. The hack came at a vulnerable time for Uber, possibly prompting executives to attempt subterfuge instead of coming clean from the start.