2017 has been a difficult time for ride-sharing company Uber. Earlier this year, Uber lost a vital legal battle with London officials who rescinded its ability to operate in the city, its most lucrative market, after concerns about the company’s lax licensing policies for drivers. Their position with the public was further hampered only weeks ago when the company revealed that, back in 2016, they suffered a massive hack that stole data pertaining to 57 million users and, more alarmingly, detailed licensing info from 600,000 of the company’s own registered drivers. The issue was further complicated by the fact that, rather than going public with the information, Uber paid some mysterious entity to mask all evidence of the event.
Recently, more information regarding the face behind the Uber hack cleanup effort has come to light. The lone hacker was paid a sum of $100,000 to mask all evidence of the breach. According to new sources, the hacker is a 20-year-old man who resides in Florida with his mother. Contrary to previous reports, he did not, in fact, work alone: rather, the Florida hacker separately hired a second individual to help with the project. While there are no details on this second individual thus far, what is known is that the Florida man hired him to assist in accessing parts of Github, the source from which Uber user and driver credentials were hosted and subsequently stolen from in the 2016 hack.
While Uber’s actions were certainly underhanded and a clear breach of both client and employee trust, their move to offer a bounty for a fix isn’t unprecedented in the tech world. In that sense, it’s unsurprising that the company would turn to an outside, third-party source rather than handling the problem internally. Google recently offered a bounty to any hackers who could identify problems with the Play Store used to deliver apps to Android devices. Likewise, software and hardware manufacturers like Samsung and Apple operate similar reward schemes for bored IT security buffs.
Still, Uber will inevitably face some legal backlash for hiding the breach from customers for well over a year. In an attempt to mend fences, Uber promptly fired Joe Sullivan and Craig Clark, a security chief and lawyer for the company respectively. Rumors suggest that the decision to hide the hack may have came from CEO Travis Kalanick himself, but only further investigation will reveal who precisely issued the order.