Uber defends payments to hackers

Its security chief tells senators bounty program cut threats

Posted: February 7, 2018 at 1:56 a.m.

Uber's information security chief, John Flynn, defended the company's practice of paying hackers to find security flaws as he faced lawmakers over a data breach in 2016 in which hackers stole the personal information from 57 million people.

"Uber's bug bounty program unquestionably has increased the scale and speed at which we are able to identify and eliminate cybersecurity threats," Flynn told members of the U.S. Senate subcommittee on consumer protection, product safety, insurance, and data security, in prepared remarks.

Uber Technologies Inc. paid about $1.3 million to hundreds of independent hackers to find flaws in the ride-hailing company's digital security systems, Flynn told the panel Tuesday.

Uber was called to Washington to discuss the October 2016 data breach that the company concealed for more than a year. In the incident, which Bloomberg News reported in November, hackers stole the personal data of customers and drivers and the company paid the hackers $100,000 to delete it and keep the breach quiet.

Uber initially classified the hack as part of its existing bug-bounty program and did not disclose it to the public or regulators. In his testimony, Flynn acknowledged that the incident was notably different from a typical bug bounty since the hackers had downloaded sensitive information rather than simply alert Uber about the vulnerability. Flynn said the breach should have been disclosed.

"The fact that the company took approximately a year to notify impacted users raises red flags within this committee as to what systemic issues prevented such time-sensitive information from being made available to those left vulnerable," Chairman Jerry Moran, R-Kan., said at the start of the hearing.

Asked by Moran why the company didn't disclose the breach to affected customers, Flynn said complying with the patchwork of data breach laws can be difficult but that Uber didn't have the right people in place to properly deal with the response and should have disclosed the matter sooner. "Senator, there is no justification for that," Flynn said. "It was a mistake not to do so."

Flynn said the incident was different from a typical bug bounty and would be treated differently in the future. Sen. Richard Blumenthal, D-Conn., described the hackers' actions as a form of ransom and that concealing the act was in effect aiding and abetting the original crime.

The compromised data included names, phone numbers, and email addresses of 50 million Uber riders around the world and personal information of about 7 million drivers, including some 600,000 U.S. driver's license numbers. No Social Security numbers, credit-card information, trip location details or other data were taken, Uber said in November.

Flynn acknowledged that the incident revealed the pitfalls of working with hackers to identify security risks.

"The intruders not only found a weakness, they also exploited the vulnerability in a malicious fashion to access and download data," Flynn said.

After anonymously notifying Uber of the breach, the hackers asked for a six-figure payout. Flynn said the money was doled out with help from HackerOne, a security firm started by hackers and security professionals.

Uber ousted its chief security officer and one of his deputies for their role in concealing the data theft. Flynn said the company regretted that the ride-hailing service didn't publicly report the incident earlier.

Since starting the bug bounty program almost three years ago, Uber has worked with more than 500 outside experts and resolved more than 800 system vulnerabilities, Flynn said.

Business on 02/07/2018