A Florida man, who is 20, was responsible for the data breach a year ago at Uber Technologies and was paid by the company to destroy that data through what is known as a bug bounty program that is normally used in identifying vulnerabilities, said three sources who are familiar with this situation.
Dara Khosrowshahi, Uber's new CEO, fired two of of the company's security leaders when he found out about the breach, and acknowledged that it should have been reported when it was discovered.
Then-chief executive Travis Kalanick and chief security officer Joe Sullivan made the decision to pay the hackers and keep the breach a secret from its customers and drivers. He stepped down as Uber CEO in June and has taken a vow of silence too.
Remember the unidentified man that was paid $100,000 to delete Uber's stolen data? Rewards for identifying bugs in code are more normally in the range of $5,000 - $10,000.
The payment was made by Uber previous year via a program that is created to reward different researchers who report company software flaws, said the sources. Uber spokesman Matt Kallman declined to comment on the matter. The company also reportedly ensured the data was deleted by undergoing a forensic analysis of the hacker's computer. The hacker further paid a second person who offered his services in accessing GitHub to obtain credentials for accessing Uber's data.
But the firm caused much anger when it was revealed it had actually paid the hacker $100,000 to hide the information for over a year.
Uber had not responded to Silicon UK at the time of writing.
Moussouris added that the failure to report the breach was a grievous error: "The creation of a bug bounty program doesn't allow Uber, their bounty service provider or any other company the ability to decide that breach notification laws don't apply to them".
Another three members of Uber's security subsequently resigned from their roles last week. Officials for Connecticut, Illinois and MA also confirmed they're investigating the hack.