Uber Defends Bug Bounty Hacker Program to U.S. Lawmakers

(Bloomberg) -- Uber’s information security chief, John Flynn, defended the company’s practice of paying hackers to find security flaws as he faced lawmakers over a data breach in 2016 where hackers stole the personal information from 57 million people.

“Uber’s bug bounty program unquestionably has increased the scale and speed at which we are able to identify and eliminate cybersecurity threats,” Flynn told members of the U.S. Senate subcommittee on consumer protection, product safety, insurance, and data security, in written remarks.

Uber Technologies Inc. paid about $1.3 million to hundreds of independent hackers to find flaws in the ride-hailing startup’s digital security systems, Flynn told the panel Tuesday.

Uber was called to Washington to discuss the October 2016 data breach that the company concealed for more than a year. In the incident, which Bloomberg News reported in November, hackers stole the personal data of customers and drivers and the company paid them $100,000 to delete it and keep the breach quiet.

Uber initially classified the hack as part of its existing bug bounty program and did not disclose it to the public or regulators. In his testimony, Flynn acknowledged that the incident was notably different from a typical bug bounty since the hackers had downloaded sensitive information rather than simply alert Uber about the vulnerability. Flynn said the breach should have been disclosed. 

“The fact that the company took approximately a year to notify impacted users raises red flags within this committee as to what systemic issues prevented such time-sensitive information from being made available to those left vulnerable,” Chairman Jerry Moran, a Republican senator from Kansas, said at the start of the hearing.

Several lawmakers called for Congress to pass legislation establishing national standards for companies to notify consumers or law enforcement when there is a data breach. Asked by Moran why the company didn’t disclose the breech to affected customers, Flynn said complying with the patchwork of data breach laws can be difficult but that Uber didn’t have the right people in place to properly deal with the response and should have disclosed the matter sooner. “Senator, there is no justification for that,” Flynn said. “It was a mistake not to do so.”

Flynn said the incident was different from a typical bug bounty and would be treated differently in the future. Senator Richard Blumenthal, a Democrat from Connecticut, described the hackers’ actions as a form of ransom and that concealing the act was in effect aiding and abetting the original crime.

The compromised data included names, phone numbers, and email addresses of 50 million Uber riders around the world and personal information of about 7 million drivers including some 600,000 U.S. driver’s license numbers. No Social Security numbers, credit card information, trip location details or other data were taken, Uber said in November.

Flynn acknowledged that the incident revealed the pitfalls of working with hackers to identify security risks and said it unfolded in a way that was a departure from the traditional bug bounty program.

“The intruders not only found a weakness; they also exploited that vulnerability in a malicious fashion to access and download data,” Flynn said.

After anonymously notifying Uber of the breach, the hackers asked for a six-figure payout. Flynn said the money was doled out with help from HackerOne, a security firm started by hackers and security professionals.

Uber ousted its chief security officer and one of his deputies for their role in concealing the data theft. Flynn said the company regretted that ride-hailing service didn’t publicly report the incident earlier.

Since launching the bug bounty program almost three years ago, Uber has worked with more than 500 outside experts and resolved more than 800 system vulnerabilities, Flynn said.

To contact the reporters on this story: Naomi Nix in Washington at nnix1@bloomberg.net, Eric Newcomer in San Francisco at enewcomer@bloomberg.net.

To contact the editors responsible for this story: Mark Milian at mmilian@bloomberg.net, Sara Forden at sforden@bloomberg.net, Molly Schuetz, Andrew Pollack

©2018 Bloomberg L.P.