Incident Responsecritical

Uber 2016 Cover-Up: Paying Hackers $100,000 via Bug Bounty to Hide a Breach

Uber discovered a breach affecting 57 million riders and drivers in 2016, then paid the hackers $100,000 via its bug bounty programme as hush money and concealed the breach from regulators and the public for a year.

Uber·2016·2 min read

Background

In 2016, Uber was under investigation by the FTC over a 2014 data breach. When a second, larger breach occurred in October 2016, instead of disclosing it, new CSO Joe Sullivan and others decided to pay the hackers and suppress the information — particularly from regulators.

The Attack

Two hackers discovered that Uber engineers had accidentally posted credentials for Uber's AWS S3 storage to a private GitHub repository. The hackers used those credentials to download 57 million rider and 600,000 driver records (names, emails, phone numbers, and for drivers, licence numbers). They contacted Uber demanding payment. CSO Joe Sullivan's team paid the hackers $100,000 through Uber's HackerOne bug bounty programme (falsely classifying it as a legitimate bounty), obtained a non-disclosure agreement, and did not disclose the breach. The breach was not disclosed for 13 months.

Response

New CEO Dara Khosrowshahi discovered the cover-up shortly after joining in November 2017 and disclosed the breach publicly in November 2017. Joe Sullivan was fired and later prosecuted. Uber settled with the FTC for $148 million. The state AGs settlement required Uber to implement a comprehensive privacy programme.

Outcome

Joe Sullivan became the first CISO ever convicted of a crime related to an employer's data breach (October 2022). He was sentenced to three years of probation. The case established that actively concealing a breach from regulators is a federal crime. The case sent a chilling signal to the security industry about personal criminal liability for breach cover-ups.

Key Takeaways

  1. Bug bounty programmes must have clear criteria — paying extortion through a bounty programme is fraud and obstruction
  2. CISOs have personal legal liability for breach cover-ups — comply with disclosure obligations regardless of corporate pressure
  3. Credentials in GitHub repositories — even private ones — should be treated as compromised immediately and rotated
  4. The FTC investigation was ongoing during the cover-up — concealing a breach from an active regulator is a serious federal offence

How to Prevent This

All guides
intermediate

Do not use bug bounty programmes to pay extortion — it is illegal

Uber's security team paid $100,000 to the attackers who stole 57 million user records by routing the payment through their HackerOne bug bounty programme, falsely classified as a legitimate vulnerability report. The payment was intended to conceal the breach. The CSO who authorized this was convicted of obstruction of justice and sentenced to three years of probation. Bug bounty payments to attackers who have already stolen data constitute obstruction of a federal investigation. If you receive an extortion demand, contact your legal team and law enforcement immediately. Never use a bug bounty platform to pay a criminal — it does not legitimise the payment.

See: Uber Cover-UpIncident Response
cover-upbug bountyCISO liabilityFTCbreach concealment

More in Incident Response

2013critical

Target Breach IR Failure: Security Team Saw the Alerts and Did Nothing

2 min readIncident Response
2017high

GitLab Production Database Deletion: 5 Failed Backups and a Live Stream

2 min readIncident Response
2019high

British Airways GDPR Fine: The First Major Enforcement Sets the Tone

2 min readIncident Response