Uber did not reveal that the password to download sensitive data from its cloud was hacked in 2016 — giving access to unencrypted files with 25 million names and email addresses, 22 million phone numbers, and 600,000 names and driver license numbers.
Such are the accusations of the US Federal Trade Commission (FTC), which believes Uber also paid $100,000 to the people who hacked its system using a third-party ‘bug bounty’ program. Uber failed to tell the public and the FTC about the violation until November. A 20-year-old man in Florida is allegedly responsible and received the money. He was paid to destroy the data using a program normally used to identify pitfalls in code.
Uber then reportedly asked the hacker to sign a non-disclosure agreement in order not to encourage new attacks. According to Reuters, Uber even led an investigation to confirm that the data had in fact been deleted. The young man was “living with his mom in a small home trying to help pay the bills,” said Uber’s security team in December.