Uber last month revealed a major 2016 hack that exposed information for 57 million customers and drivers, as well as the fact that it paid out $100,000 to the attackers to scrub the information and keep the breach secret. Now, sources tell Reuters it was actually one hacker who took home the $100,000, and he was a Florida man barely out of his teens. The "extremely unusual" payment to the unnamed 20-year-old hacker said to be "living with his mom" was made through what's known as Uber's "bug bounty" service—a program often used by big tech companies, per Engadget—hosted by a firm called HackerOne, which compensates hackers for finding issues in software. The three sources who spoke to Reuters say they're not sure who gave the OK to pay off the hacker and cover up the breach, though they note then-CEO Travis Kalanick was aware of both moves.
Katie Moussouris, an ex-Hacker One exec, says such a payout would be an "all-time record," as such bug-bounty payments usually fall between $5,000 and $10,000. Also making this case unusual: Uber paid someone who had stolen information and didn't immediately report the breach to regulators. "The creation of a bug bounty program doesn't allow Uber, their bounty service provider, or any other company the ability to decide that breach notification laws don't apply to them," Moussouris notes. The sources say Uber had the hacker sign an NDA and examined his machine to make sure all stolen data had been wiped. One source adds Uber doesn't want to see him prosecuted because it doesn't think he poses any further threat, noting he was simply "living with his mom in a small home trying to help pay the bills." One source says a second person, also unnamed, helped the hacker.