Inside Uber’s $100,000 payment to a hacker, and the fallout
“Hello Joe,” read the November 2016 email from someone identifying himself as “John Doughs.” “I have found a major vulnerability in Uber.”
The email appeared to be no different from other messages that Joe Sullivan, Uber’s chief security officer, and his team routinely received through the company’s “bug bounty” programme, which pays hackers for reporting holes in the ride-hailing service’s systems, according to current and former Uber security employees.
Yet the note and Uber’s eventual $100,000 payment to the hacker, which was initially celebrated internally as a rare win in corporate security, have since turned into a public relations debacle for the company. In November, when Uber disclosed the 2016 incident and how the information of 57-million driver and rider accounts had been at risk, the company’s chief executive since August, Dara Khosrowshahi, called it a “failure” that it had not notified people earlier. Sullivan and a security lawyer, Craig Clark, were fired.
In the weeks since, Uber’s handling of the hacking has come under major scrutiny. Not only did Uber pay an outsize amount to the hacker, but it also did not disclose that it had briefly lost control of so much consumer and driver data until a year later. The behaviour raised questions of a cover-up and a lack of transparency, as well as whether the payment really was just a ransom paid by a security operation that had acted on its own for too long.
The hacking is now the subject of at least four lawsuits, with attorneys general in five states investigating whether Uber broke laws on data-breach notifications. In addition, the US attorney for Northern California has begun a criminal investigation into the matter.
Most of all, the hacking and Uber’s response have fueled a debate about whether companies that have crusaded to lock up their systems can scrupulously work with hackers without putting themselves on the wrong side of the law.
Uber is illustrative of a breed of company that aimed to bulletproof its security. While many corporations were for years blissfully unaware of hackers penetrating their systems, Uber and others recruited former law enforcement and intelligence analysts and installed layers of technical defenses and password security. They joined other companies in embracing the same hackers they once treated as criminals, shelling out bug bounties as high as $200,000 to report flaws.
Yet since the fallout from Uber’s disclosure, Silicon Valley companies have taken a harder look at their bounty programs. At least three have put their programs under review, according to two consultants who have confidential relationships with those companies, which they declined to name. Others said criminal prosecutions for not reporting John Doughs would deter ethical hackers who would otherwise come forward, causing even more security breaches.
“Anything that causes organisations to take a step backwards and not welcome contributions from the security community will have a negative impact on all of us,” said Alex Rice, a co-founder of HackerOne, a security company whose business is to work with customers, including Uber, to manage interactions with and payments to hackers.
The situation is complicated by Uber’s track record for pushing boundaries, which put it under scrutiny last year and helped spur the resignation of Travis Kalanick, its longtime chief executive, in June. Mr. Khosrowshahi has since vowed to change the way the company conducts itself.
This account of Uber’s hacking and the company’s response was based on more than a dozen interviews with people who dealt with the incident, many of whom declined to be identified because of the confidentiality of their exchanges. Many are current or former members of Uber’s security team, who defended their actions as a prime example of how executives should respond to security problems. The New York Times also obtained more than two dozen internal Uber emails and documents related to the incident.
In a statement, Sullivan disputed the notion that the 2016 episode was a breach and said Uber had treated it as an authorized vulnerability disclosure.
“I was surprised and disappointed when those who wanted to portray Uber in a negative light quickly suggested this was a cover-up,” he said, adding that he was proud its engineers had been able to fix the issue before it could be abused. He declined to discuss disclosure because of the active state investigations.