More news has surfaced regarding the data breach at Uber. And the news again focuses attention on the negatives regarding the actions taken by Uber after the breach – the delayed response and the attempts to cover up the problem.

Reuters broke the news that Uber paid the 20-year-old Florida man responsible for the breach via a bug bounty program.

Details regarding the payment include:

  • Uber made the payment last year via their bug bounty service, which is hosted by HackerOne. Bounty programs are intended to reward security researchers who report flaws in a company’s software.
  • The identify of the hacker and another person who is said to have helped are unknown, and Uber has not commented.
  • The bug bounty payment amount of $100,000 is very large. Payments are typically in the $5,000 to $10,000 range. HackerOne plays no role in decisions regarding payments or payment size.
  • Reuters’ sources said Uber made the payment to confirm the hacker’s identity, had him sign a nondisclosure agreement to deter further wrongdoing, and performed a forensic analysis of the hacker’s machine to ensure data was purged.

As we noted in our earlier blog post, a delay in announcing a breach can harm public and customer perception. This latest news highlights another problematic element of the Uber response: attempting to cover up the breach.

How To Get Breach Response Right

Forrester analysts writing in a recent Forbes article do a nice job of explaining why a good response to a breach is so critical:

Build your breach response on how you can do right by the individuals whose data you’ve mishandled or lost, and you start the process of getting back on your feet. Build your breach response on self-preservation and denial, and you’ll dig yourself into a deeper hole as the public questions your competence and intentions. Customers won’t remember what you said; they will remember how you made them feel. Why does this matter? Emotion is the most important factor in your customer relationship.

Uber Data Breach: Paid Hackers to Hide Cyber Attack
3 Lessons Learned from the Uber Data Breach
2017 Ponemon Cost of Data Breach Study: Analyzing the Research
Insider Threat Detection