Uber disguised $100,000 hacker payoff as bug bounty, claims Reuters

Remember the 2017 Uber breach?

The one that was actually discovered in 2016, except that Uber conveniently forgot about it for a year before admitting, “Well, yes, now you mention it, some records did get taken.”

57,000,000 records in all, apparently, including – for Uber drivers, at least – data such as driving licence and vehicle registration details.

From a regulatory point of view, Uber ought to have reported this breach promptly in many jurisdictions around the world, rather than hushing it up; in the UK, for example, the Information Commissioner’s Office has variously stated:

Uber’s announcement about a concealed data breach last October raises huge concerns around its data protection policies and ethics. [2017-11-22T10:00Z]

It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers. Deliberately concealing breaches from regulators and citizens could attract higher fines for companies. [2017-11-22T17:35Z]

Uber has confirmed its data breach in October 2016 affected approximately 2.7million user accounts in the UK. Uber has said the breach involved names, mobile phone numbers and email addresses. [2017-11-29]

At the time the breach news broke, it also emerged that Uber had paid $100,000 in what was effectively hush money to the hacker or hackers behind the breach, making it possible for Uber to sweep the breach under the carpet.

We speculated at the time how this payout might have been orchestrated:

It’ll be interesting to see how the story unfolds – if the current Uber leadership can unfold it at this stage, that is. I suppose you could wrap the $100,000 up as a “bug bounty payout”, but that still leaves the issue of “very conveniently deciding for yourself that it wasn’t necessary to report it”.

Well, if an exclusive investigation published recently by Reuters has it right, then so did we: Reuters claims that the payoff was indeed made to look like a bug bounty payout.

Bug bounties are official rewards offered by companies to researchers who find security bugs, flaws, holes and problems, but this sort of payout is offered within a legal framework that – for obvious reasons – puts limits on exactly where bounty hunters should go, and how they should behave.

Deliberately hacking a live system in a way that is likely to crash it just to prove a point is understandably off-limits; so too is using unlawful techniques to achieve a result – stealing a physical server, for example, or threatening an employee to extract a password.

Another unlawful no-no is actually cracking into a server, stealing a giant pile of data and then offering the data back for what amounts to a ransom, even if that ransom payment would also lead to finding and fixing the security hole.

But Reuters is insisting that is pretty much how it played out in the Uber case.

According to Reuters, the attack and breach went something like this: the hacker who was ultimately paid off by Uber contracted a “researcher” to dig out Uber passwords on GitHub; those passwords led to the 57 million records; Uber then received “an email […] demanding money in exchange for user data”.

Of course, even if that wasn’t quite how it what happened, or if calling this a bug bounty payout is ultimately deemed ethically acceptable…

…there’s still the issue that we described above, namely the matter of Uber very conveniently deciding unilaterally that it wasn’t necessary to report the breach.

Over here in the UK, we’ll be very interested to see what the Information Commissioner’s Office has to add to its earlier warnings.