Uber hack raises ‘ bug bounty’ worry
SAN FRANCISCO — “Hello Joe,” read the November 2016 email from someone identifying himself as “John Doughs.” “I have found a major vulnerability in Uber.”
The email appeared to be no different from other messages that Joe Sullivan, Uber’s chief security officer, and his team routinely received through the company’s “bug bounty” program, which pays hackers for reporting holes in the ride-hailing service’s systems, according to current and former Uber security employees.
Yet the note and Uber’s eventual $100,000 payment to the hacker, which was initially celebrated internally as a rare win in corporate security, have since turned into a public-relations debacle. In November, when Uber disclosed the 2016 incident and how the information of 57 million driver and rider accounts had been at risk, Dara Khosrowshahi, the CEO since August, called it a “failure” that Uber had not notified people earlier. Sullivan and another colleague were fired.
Uber’s handling of the hacking has come under major scrutiny. Not only did Uber pay an outsize amount to the hacker, but it also did not disclose until a year later that it had briefly lost control of so much data. The behavior raised questions of a cover-up and whether the payment really was just a ransom paid by a security operation that had been left alone for too long.
The hacking is now the subject of at least four lawsuits, with attorneys general in five states opening investigations into whether Uber broke laws on data-breach notifications. In addition, the U.S. attorney for Northern California has begun a criminal investigation.
Most of all, the hacking and Uber’s response have fueled a debate about whether companies that have crusaded to lock up their systems can scrupulously work with hackers without putting themselves on the wrong side of the law.
Uber is illustrative of a breed of company that aimed to bulletproof its security by recruiting former law enforcement and intelligence analysts and by installing layers of technical defenses and password security. They companies embraced the same hackers they once treated as criminals, shelling out bug bounties as high as $200,000 to report flaws.
Yet since the fallout from Uber’s disclosure, Silicon Valley companies have taken a harder look at their bounty programs. At least three have put their programs under review, according to two consultants who have confidential relationships with those unidentified companies. Others said criminal prosecutions for not reporting security gaps would deter ethical hackers who would otherwise come forward, causing even more security breaches.
In a statement, Sullivan disputed the notion that the 2016 episode was a breach, and he said Uber had treated it as an authorized vulnerability disclosure.
“I was surprised and disappointed when those who wanted to portray Uber in a negative light quickly suggested this was a cover-up,” he said, adding that he was proud its engineers had been able to fix the issue before it could be abused. He declined to discuss disclosure because of the active state investigations.