Uber could be in more hot water after it was reported that the taxi service had allegedly used its bug bounty program to pay a hacker to destroy the data he had stolen. But the company did not reveal any details about the hacker or how it paid him the money.
Uber announced November 21 that hackers breached a third-party server previous year and stole the names and email addresses of 57 million users, among other personal information. The company took immediate steps to secure the data and shut down the unauthorised access by the individuals. "We also implemented security measures", Uber said in a statement.
Sources told Reuters that the company ensured the data had been removed by performing a "forensic analysis of the hacker's machine", and made him sign a nondisclosure agreement promising he won't participate in any "further wrongdoing".
"None of this should have happened, and I will not make excuses for it", Khosrowshahi, said in a blog post announcing the hack last month.
In order to cover the attack up, Uber used its bug bounty service hosted by HackerOne. Uber said it first became aware of the hack in November 2016.
The ride-hailing company, which has claimed to be worth up to $70 billion, is being sued by multiple cities and five states for failing to disclose the 2016 breach, as more details emerge about the company's effort to cover up the cyberattack. The bounty program is meant to reward security researchers who bring bugs to the company's attention so that a fix can be put into place.
Previous-CEO Travis Kalanick had stepped down in June 2017. Hackers and security researchers are typically paid thousands of dollars for bugs they find, depending on their severity.
It is important to note that while HackerOne hosts Uber's bug bounty program, it does not manage it, nor does it have a hand in setting Uber's prices for bounty payments.
Uber ended up firing its chief security officer Joe Sullivan and attorney Craig Clark over their roles in the data breach, so it looks like the company isn't exactly chuffed with how the situation was handled, even though it has yet to comment on the revelations Reuters' sources have been serving up.
"If it had been a legitimate bug bounty, it would have been ideal for everyone involved to shout it from the rooftops", Moussouris said. It is unclear if he informed the legal department of the breach.