An unidentified man was paid $100,000 to delete the data through a bug bounty program, Reuters reports.
A 20-year-old Florida man was responsible for a massive data breach at Uber last year, although his identity couldn’t be established, Reuters reported Wednesday.
The ride-hailing startup revealed last month that hackers stole data on 57 million drivers and riders in October 2016. The pilfered data included personal information such as names, email addresses and driver’s license numbers, but not Social Security numbers and credit card information, the company said.
Uber said it paid $100,000 to the data thieves at the time to delete the information. But the company did not reveal any details about the hacker or how it paid him the money.
Sources familiar with the hack told Reuters the payment was made through a program designed to reward bug hunters who report flaws in a company’s software. Uber’s bug bounty service is hosted by HackerOne, a company that connects security researchers with companies.
While three sources familiar with the hack told Reuters a Florida man was responsible, the news agency said it was unable to identify the man.
Uber has said hackers accessed names and email addresses, as well as the drivers’ license numbers of 600,000 Uber drivers, by stealing the password to a cloud database hosted by Amazon Web Services. Uber said it first became aware of the hack in November 2016. Since that time, CEO Travis Kalanick stepped down and was replaced by Dara Khosrowshahi in August.
The revelation has gotten the startup in hot water with regulators and prosecutors. The New York State Attorney General has opened an investigation into the incident, while the New Mexico Attorney General has sent Uber a letter asking for details of the hack and how the company responded. Officials for Connecticut, Illinois and Massachusetts also confirmed they’re investigating the hack.
Uber may also have broken a promise made in a Federal Trade Commission settlement not to mislead users about data privacy and security.
Uber declined to comment, while HackerOne representatives didn’t immediately respond to a request for comment.