Uber Paid 20-Year-Old Hacker Who Lives With His Mom To Cover Up Massive Data Breach

Uber kept its largest-ever data breach secret for more than a year. Victor J. Blue/Bloomberg via Getty Images

UPDATEDI The hacker who swiped data from more than 57 million Uber users last year was a 20-year-old Florida man who lives with his mom—and received $100,000 from the ride-share company to keep his breach secret, according to a report on Wednesday.

The unidentified hacker planned the extortion-style hack—the largest data breach in Uber's history—as a way to help pay the bills for him and his mother, sources familiar with the scandal told Reuters. Uber paid the young hacker through a "bug bounty" program that is supposed to reward up to $10,000 to researchers who report flaws in its software. The hacker was not a part of the program, but found a way into the system and emailed the company demanding money.

Uber was able to determine the hacker's identity by directing him through the bug bounty program, which is hosted by a company called HackerOne. Uber convinced the man to delete the data after sending him the money he demanded, and it also had him sign a nondisclosure agreement to prevent him from discussing the incident, according to the report.

The ride-hailing company, which has claimed to be worth up to $70 billion, is being sued by multiple cities and five states for failing to disclose the 2016 breach, as more details emerge about the company's effort to cover up the cyberattack.

The lawsuits claim Uber put users at risk by failing to report the hack and secretly handling it internally. Uber fired its chief security executive, Joe Sullivan, and a deputy executive, Craig Clark, over their roles in the incident. Reuters reported that even then-CEO Travis Kalanick, who left the company in June 2017 amid accusations of fostering a hostile and sexist work culture, was aware of the breach and was part of the effort to keep it a secret. None of the Uber executives have commented on the matter.

The data breach occurred in October 2016. The stolen data of 57 million users, including 600,000 Uber drivers, included names, phone numbers, email addresses and license data. It did not include payment information.

Uber spokesman Matt Kallman wrote in an email to Newsweek, "We are not commenting."

This article has been updated with a response from Uber.