Hackers in 2016 stole personal data for tens of millions of Uber users (and also drivers). Uber didn’t report the breach and decided to pay two hackers (one of them a 20-year old Floridian) $100K on HackerOne to stay quiet and delete the data.
HackerOne, btw, is described as “the most trusted hacker-powered security platform”, with HackerOne:
- Response (a compliant process for receiving/acting on vulnerabilities discovered by third parties)
- Challenge (improving pen-test results with a project-based vulnerability assessment program)
- Bounty (a private, fully-managed bug bounty program for continuous coverage)
HackerOne receives an IRS W9 or W8BEN forms before payments can be made, and Reuters reported on Uber making payments to the Florida hacker on the platform.
All 50 states and D.C. filed a lawsuit and yesterday the California attorney general announced a settlement of $148 million with the company. Uber also agreed to strengthen its cybersecurity infrastructure and provide updates to the states on a quarterly basis.
Tony West, Uber’s CLO, joined once the prior chief security officer was fired, handled the cleanup process. The company said that the hackers had targeted third-party cloud-based services. Uber still has to deal with private party lawsuits and those of some specific cities.
A lot of important lessons on cybersecurity, compliance setups for financial services providers and the growing importance of Artificial Intelligence.
We discussed AI and cybersecurity/cryptocurrency issues in our most recent CSI roundtable in NY.