Uber hacker was 20-year-old man helping his mum pay bills

By @chelean on
FILE PHOTO: A man arrives at the Uber offices in Queens, New York, U.S. on February 2, 2017.
FILE PHOTO: A man arrives at the Uber offices in Queens, New York, U.S. on February 2, 2017. Reuters/Brendan McDermid/File Photo

The hacker who breached Uber Technologies Inc’s data last year was a 20-year-old American man who wanted to help his mother pay the bills. The hacker from Florida was paid US$100,000 (AU$132,000) by the ride-sharing company after he copied data from its millions of Uber riders and drivers around the world.

Uber CEO Dara Khosrowshahi revealed last month that the company paid hackers last year, saying he only recently learnt about the breach. The company took immediate steps to secure the data and shut down the unauthorised access by the individuals. At the time of the announcement, it was said that there were two individuals involved.

Reuters now reports that the identity of one individual who hacked into the personal data of 57 million users and drivers of the company. According to the publication’s sources, Uber paid the hacker through a program designed to reward security researchers reporting flaws in its software, the Uber’s bug bounty service, which offers its platform to tech companies.

The hacker wasn’t a participant in the program, emailing Uber to demand money instead. The company directed him to the program and then used the process to uncover his identity. Reuters sources said Uber made the payment to confirm his identity and have him sign a nondisclosure agreement to deter further wrongdoing. It also conducted a forensic analysis of his machine to make sure the data had been completely removed.

The hacker paid a second person for services involving accessing GitHub, the coding site used by Uber, to obtain credentials for access to data that Uber stored elsewhere. A source described the hacker as 20-year-old Florida man “living with his mum in a small home trying to help pay the bills.” The Uber security team decided against the prosecution of the hacker because he did not appear to pose further threat.

Khosrowshahi said in a statement last month that the company suffered the data breach in 2016 but he was informed only recently. He questioned why the affected individuals and regulators weren’t made aware of the hack.

“None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can confirm on behalf of every Uber employee that we will learn from our mistakes,” he said. “We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”

Chief security executive Joe Sullivan and another executive, Craig Clark, were fired for their involvement in the incident. According to three insiders, Clark worked directly for Sullivan but also reported to the legal and privacy team of the company. It is unclear if he informed the legal department of the breach.