A 20-year-old Florida man was responsible for the large data breach at Uber Technologies Inc [UBER.UL] last year and was paid by Uber to destroy the data through a so-called “bug bounty” program normally used to identify small code vulnerabilities, three people familiar with the events have told Reuters.
Uber announced on November 21 that the personal data of 57 million users were stolen in a breach that occurred in October 2016, and that it paid the hacker $100,000 to destroy the information. But the company did not reveal any information about the hacker or how it paid him the money.
Uber made the payment last year through a program designed to reward security researchers who report flaws in a company’s software, these people said. Uber’s bug bounty service - as such a program is known in the industry - is hosted by a company called HackerOne, which offers its platform to a number of tech companies.
Reuters was unable to establish the identity of the hacker or another person who sources said helped him. Uber spokesman Matt Kallman declined to comment on the matter.
Newly appointed Uber Chief Executive Dara Khosrowshahi fired two of Uber’s top security officials when he announced the breach last month, saying the incident should have been disclosed to regulators at the time it was discovered, about a year before.
It remains unclear who made the final decision to authorise the payment to the hacker and to keep the breach secret, though the sources said then-CEO Travis Kalanick was aware of the breach and bug bounty payment in November of last year.
Mr Kalanick, who stepped down as Uber CEO in June, declined to comment on the matter, according to his spokesman.
A payment of $100,000 through a bug bounty program would be extremely unusual, with one former HackerOne executive saying it would represent an “all-time record.” Security professionals said rewarding a hacker who had stolen data also would be well outside the normal rules of a bounty program, where payments are typically in the $5,000 to $10,000 range.
HackerOne hosts Uber’s bug bounty program but does not manage it, and plays no role in deciding whether payouts are appropriate or how large they should be.
HackerOne CEO Marten Mickos said he could not discuss an individual customer’s programs. “In all cases when a bug bounty award is processed through HackerOne, we receive identifying information of the recipient in the form of an IRS W-9 or W-8BEN form before payment of the award can be made,” he said, referring to U.S. Internal Revenue Service forms.
According to two of the sources, Uber made the payment to confirm the hacker’s identity and have him sign a nondisclosure agreement to deter further wrongdoing. Uber also conducted a forensic analysis of the hacker’s machine to make sure the data had been purged, the sources said.
One source described the hacker as “living with his mom in a small home trying to help pay the bills,” adding that members of Uber’s security team did not want to pursue prosecution of an individual who did not appear to pose a further threat.
The Florida hacker paid a second person for services that involved accessing GitHub, a site widely used by programmers to store their code, to obtain credentials for access to Uber data stored elsewhere, one of the sources said.
GitHub said the attack did not involve a failure of its security systems. “Our recommendation is to never store access tokens, passwords, or other authentication or encryption keys in the code,” that company said in a statement.
Uber received an email last year from an anonymous person demanding money in exchange for user data, and the message was forwarded to the company’s bug bounty team in what was described as Uber’s routine practice for such solicitations, according to three sources familiar with the matter.
Bug bounty programs are designed mainly to give security researchers an incentive to report weaknesses they uncover in a company’s software. But complicated scenarios can emerge when dealing with hackers who obtain information illegally or seek a ransom.
Some companies choose not to report more aggressive intrusions to authorities on the grounds that it can be easier and more effective to negotiate directly with hackers in order to limit any harm to customers.
Uber’s $100,000 payout and silence on the matter at the time was extraordinary under such a program, according to Luta Security founder Katie Moussouris, a former HackerOne executive.
“If it had been a legitimate bug bounty, it would have been ideal for everyone involved to shout it from the rooftops,” Moussouris said.
Uber’s failure to report the breach to regulators, even though it may have felt it had dealt with the problem, was an error, according to people inside and outside the company who spoke to Reuters.
“The creation of a bug bounty program doesn’t allow Uber, their bounty service provider, or any other company the ability to decide that breach notification laws don’t apply to them,” Moussouris said.
Uber fired its chief security officer, Joe Sullivan, and a deputy, attorney Craig Clark, over their roles in the incident.
“None of this should have happened, and I will not make excuses for it,” Mr Khosrowshahi, said in a blog post announcing the hack last month.
Mr Clark worked directly for Mr Sullivan but also reported to Uber’s legal and privacy team, according to three people familiar with the arrangement. It is unclear whether Mr Clark informed Uber’s legal department, which typically handled disclosure issues.
Mr Sullivan and Mr Clark did not respond to requests for comment.
In an August interview with Reuters, Mr Sullivan, a former prosecutor and Facebook Inc (FB.O) security chief, said he integrated security engineers and developers at Uber “with our lawyers and our public policy team who know what regulators care about.”
Last week, three more top managers in Uber’s security unit resigned. One of them, physical security chief Jeff Jones, later told others he would have left anyway, sources told Reuters. Another of the three, senior security engineer Prithvi Rai, later agreed to stay in a new role.
A MINECRAFT MOVIE
Director: Jared Hess
Starring: Jack Black, Jennifer Coolidge, Jason Momoa
Rating: 3/5
EA Sports FC 25
Developer: EA Vancouver, EA Romania
Publisher: EA Sports
Consoles: Nintendo Switch, PlayStation 4&5, Xbox One and Xbox Series X/S
Rating: 3.5/5
SPEC%20SHEET%3A%20APPLE%20M3%20MACBOOK%20AIR%20(13%22)
%3Cp%3E%3Cstrong%3EProcessor%3A%3C%2Fstrong%3E%20Apple%20M3%2C%208-core%20CPU%2C%20up%20to%2010-core%20CPU%2C%2016-core%20Neural%20Engine%3C%2Fp%3E%0A%3Cp%3E%3Cstrong%3EDisplay%3A%3C%2Fstrong%3E%2013.6-inch%20Liquid%20Retina%2C%202560%20x%201664%2C%20224ppi%2C%20500%20nits%2C%20True%20Tone%2C%20wide%20colour%3C%2Fp%3E%0A%3Cp%3E%3Cstrong%3EMemory%3A%3C%2Fstrong%3E%208%2F16%2F24GB%3C%2Fp%3E%0A%3Cp%3E%3Cstrong%3EStorage%3A%3C%2Fstrong%3E%20256%2F512GB%20%2F%201%2F2TB%3C%2Fp%3E%0A%3Cp%3E%3Cstrong%3EI%2FO%3A%3C%2Fstrong%3E%20Thunderbolt%203%2FUSB-4%20(2)%2C%203.5mm%20audio%2C%20Touch%20ID%3C%2Fp%3E%0A%3Cp%3E%3Cstrong%3EConnectivity%3A%3C%2Fstrong%3E%20Wi-Fi%206E%2C%20Bluetooth%205.3%3C%2Fp%3E%0A%3Cp%3E%3Cstrong%3EBattery%3A%3C%2Fstrong%3E%2052.6Wh%20lithium-polymer%2C%20up%20to%2018%20hours%2C%20MagSafe%20charging%3C%2Fp%3E%0A%3Cp%3E%3Cstrong%3ECamera%3A%3C%2Fstrong%3E%201080p%20FaceTime%20HD%3C%2Fp%3E%0A%3Cp%3E%3Cstrong%3EVideo%3A%3C%2Fstrong%3E%20Support%20for%20Apple%20ProRes%2C%20HDR%20with%20Dolby%20Vision%2C%20HDR10%3C%2Fp%3E%0A%3Cp%3E%3Cstrong%3EAudio%3A%3C%2Fstrong%3E%204-speaker%20system%2C%20wide%20stereo%2C%20support%20for%20Dolby%20Atmos%2C%20Spatial%20Audio%20and%20dynamic%20head%20tracking%20(with%20AirPods)%3C%2Fp%3E%0A%3Cp%3E%3Cstrong%3EColours%3A%3C%2Fstrong%3E%20Midnight%2C%20silver%2C%20space%20grey%2C%20starlight%3C%2Fp%3E%0A%3Cp%3E%3Cstrong%3EIn%20the%20box%3A%3C%2Fstrong%3E%20MacBook%20Air%2C%2030W%2F35W%20dual-port%2F70w%20power%20adapter%2C%20USB-C-to-MagSafe%20cable%2C%202%20Apple%20stickers%3C%2Fp%3E%0A%3Cp%3E%3Cstrong%3EPrice%3A%3C%2Fstrong%3E%20From%20Dh4%2C599%3C%2Fp%3E%0A
NO OTHER LAND
Director: Basel Adra, Yuval Abraham, Rachel Szor, Hamdan Ballal
Stars: Basel Adra, Yuval Abraham
Rating: 3.5/5
Tree of Hell
Starring: Raed Zeno, Hadi Awada, Dr Mohammad Abdalla
Director: Raed Zeno
Rating: 4/5
Three ways to limit your social media use
Clinical psychologist, Dr Saliha Afridi at The Lighthouse Arabia suggests three easy things you can do every day to cut back on the time you spend online.
1. Put the social media app in a folder on the second or third screen of your phone so it has to remain a conscious decision to open, rather than something your fingers gravitate towards without consideration.
2. Schedule a time to use social media instead of consistently throughout the day. I recommend setting aside certain times of the day or week when you upload pictures or share information.
3. Take a mental snapshot rather than a photo on your phone. Instead of sharing it with your social world, try to absorb the moment, connect with your feeling, experience the moment with all five of your senses. You will have a memory of that moment more vividly and for far longer than if you take a picture of it.
MO
%3Cp%3E%3Cstrong%3ECreators%3A%20%3C%2Fstrong%3EMohammed%20Amer%2C%20Ramy%20Youssef%3C%2Fp%3E%0A%3Cp%3E%3Cstrong%3EStars%3A%20%3C%2Fstrong%3EMohammed%20Amer%2C%20Teresa%20Ruiz%2C%20Omar%20Elba%3C%2Fp%3E%0A%3Cp%3E%3Cstrong%3ERating%3A%3C%2Fstrong%3E%204%2F5%3C%2Fp%3E%0A
The National's picks
4.35pm: Tilal Al Khalediah
5.10pm: Continous
5.45pm: Raging Torrent
6.20pm: West Acre
7pm: Flood Zone
7.40pm: Straight No Chaser
8.15pm: Romantic Warrior
8.50pm: Calandogan
9.30pm: Forever Young
Profile box
Company name: baraka
Started: July 2020
Founders: Feras Jalbout and Kunal Taneja
Based: Dubai and Bahrain
Sector: FinTech
Initial investment: $150,000
Current staff: 12
Stage: Pre-seed capital raising of $1 million
Investors: Class 5 Global, FJ Labs, IMO Ventures, The Community Fund, VentureSouq, Fox Ventures, Dr Abdulla Elyas (private investment)
Dubai Bling season three
Cast: Loujain Adada, Zeina Khoury, Farhana Bodi, Ebraheem Al Samadi, Mona Kattan, and couples Safa & Fahad Siddiqui and DJ Bliss & Danya Mohammed
Rating: 1/5
Mercer, the investment consulting arm of US services company Marsh & McLennan, expects its wealth division to at least double its assets under management (AUM) in the Middle East as wealth in the region continues to grow despite economic headwinds, a company official said.
Mercer Wealth, which globally has $160 billion in AUM, plans to boost its AUM in the region to $2-$3bn in the next 2-3 years from the present $1bn, said Yasir AbuShaban, a Dubai-based principal with Mercer Wealth.
“Within the next two to three years, we are looking at reaching $2 to $3 billion as a conservative estimate and we do see an opportunity to do so,” said Mr AbuShaban.
Mercer does not directly make investments, but allocates clients’ money they have discretion to, to professional asset managers. They also provide advice to clients.
“We have buying power. We can negotiate on their (client’s) behalf with asset managers to provide them lower fees than they otherwise would have to get on their own,” he added.
Mercer Wealth’s clients include sovereign wealth funds, family offices, and insurance companies among others.
From its office in Dubai, Mercer also looks after Africa, India and Turkey, where they also see opportunity for growth.
Wealth creation in Middle East and Africa (MEA) grew 8.5 per cent to $8.1 trillion last year from $7.5tn in 2015, higher than last year’s global average of 6 per cent and the second-highest growth in a region after Asia-Pacific which grew 9.9 per cent, according to consultancy Boston Consulting Group (BCG). In the region, where wealth grew just 1.9 per cent in 2015 compared with 2014, a pickup in oil prices has helped in wealth generation.
BCG is forecasting MEA wealth will rise to $12tn by 2021, growing at an annual average of 8 per cent.
Drivers of wealth generation in the region will be split evenly between new wealth creation and growth of performance of existing assets, according to BCG.
Another general trend in the region is clients’ looking for a comprehensive approach to investing, according to Mr AbuShaban.
“Institutional investors or some of the families are seeing a slowdown in the available capital they have to invest and in that sense they are looking at optimizing the way they manage their portfolios and making sure they are not investing haphazardly and different parts of their investment are working together,” said Mr AbuShaban.
Some clients also have a higher appetite for risk, given the low interest-rate environment that does not provide enough yield for some institutional investors. These clients are keen to invest in illiquid assets, such as private equity and infrastructure.
“What we have seen is a desire for higher returns in what has been a low-return environment specifically in various fixed income or bonds,” he said.
“In this environment, we have seen a de facto increase in the risk that clients are taking in things like illiquid investments, private equity investments, infrastructure and private debt, those kind of investments were higher illiquidity results in incrementally higher returns.”
The Abu Dhabi Investment Authority, one of the largest sovereign wealth funds, said in its 2016 report that has gradually increased its exposure in direct private equity and private credit transactions, mainly in Asian markets and especially in China and India. The authority’s private equity department focused on structured equities owing to “their defensive characteristics.”
2025 Fifa Club World Cup groups
Group A: Palmeiras, Porto, Al Ahly, Inter Miami.
Group B: Paris Saint-Germain, Atletico Madrid, Botafogo, Seattle.
Group C: Bayern Munich, Auckland City, Boca Juniors, Benfica.
Group D: Flamengo, ES Tunis, Chelsea, Leon.
Group E: River Plate, Urawa, Monterrey, Inter Milan.
Group F: Fluminense, Borussia Dortmund, Ulsan, Mamelodi Sundowns.
Group G: Manchester City, Wydad, Al Ain, Juventus.
Group H: Real Madrid, Al Hilal, Pachuca, Salzburg.
The Great Derangement: Climate Change and the Unthinkable
Amitav Ghosh, University of Chicago Press
Our family matters legal consultant
Name: Hassan Mohsen Elhais
Position: legal consultant with Al Rowaad Advocates and Legal Consultants.
UAE currency: the story behind the money in your pockets
'Midnights'
%3Cp%3E%3Cstrong%3EArtist%3A%3C%2Fstrong%3E%20Taylor%20Swift%26nbsp%3B%3C%2Fp%3E%0A%3Cp%3E%3Cstrong%3ELabel%3A%3C%2Fstrong%3E%20Republic%20Records%3C%2Fp%3E%0A%3Cp%3E%3Cstrong%3ERating%3A%3C%2Fstrong%3E%204%2F5%3C%2Fp%3E%0A
