Uber's 2016 data-breach wasn't some state-sponsored sophisticated cyber-attack but an extortion-oriented hacking by a 20-year-old Florida man, Reuters reports.
The cab-aggregator, then paid him $100,000 under the guise of a bug bounty program to keep quiet about the breach which exposed information belonging to 57 million users. The hacker, described in the report as "living with his mom," in turn paid a second individual for help accessing GitHub's resources to procure credentials for Uber data stored elsewhere.
The data breach came to light in November, in which the names, email addresses, and phone numbers of 57 million Uber users worldwide were stolen, including 600,000 drivers' license copies.
The breach apparently occurred because attackers managed to gain login credentials for an Uber Amazon Web Services account using a private GitHub site maintained by Uber engineers. CEO Dara Khosrowshahi confirmed the breach, saying that "we have to be honest and transparent as we work to repair our past mistakes."
At that time, it was alleged that the company paid hackers $100,000 ransom to delete the data and not disclose what had happened to the media and public. However, according to Reuters, it was the handicraft of one Florida man who was then made to sign a nondisclosure agreement and not to compromise Uber again. Apparently, the company also conducted a forensic examination of his machine to make sure the data had been purged.
The sources claim that former CEO Travis Kalanick knew about the breach and bug bounty payment, but it’s unclear who authorized payment to the hacker.
Uber is yet to comment on the latest reports.