After the hack occurred, instead of publicly announcing it, the company paid $100,000 to the hackers to delete the information.
Three people familiar with the incident said an unidentified Florida man contacted Uber after breaching a server in October and stealing information including the names and email addresses of ride-share users in the USA and overseas, Reuters reported Wednesday.
Sources have now told Reuters that payment to the hacker was made through its bounty program, which monetarily rewards those who find bugs in the company's software and applications. Since that time, CEO Travis Kalanick stepped down and was replaced by Dara Khosrowshahi in August.
Remember the unidentified man that was paid $100,000 to delete Uber's stolen data? Security professionals said rewarding a hacker who had stolen data also would be well outside the normal rules of a bounty programme, where payments are typically in the $5,000 to $10,000 range.
Sources said that the payment was made through Uber's bug bounty service, which is hosted (but not managed) by a company called HackerOne.
You can buy Xbox exclusive PUBG cosmetics before the game's even out
There are both large and small roadways connecting the cities, in addition to a couple of "crater" locations that are unique to the desert map.
Uber made the payment to confirm the hacker's identity and have him sign a nondisclosure agreement to deter further wrongdoing.
As per the report, Uber also conducted a forensic analysis of hacker's machine to make sure that no traces of data were left behind.
Uber has come under fire since disclosing the data breach last month more than a year after the fact, and the incident is now being reviewed by state and federal regulators in the USA and overseas.
Uber had not responded to Silicon UK at the time of writing.
"The creation of a bug bounty program doesn't allow Uber, their bounty service provider, or any other company the ability to decide that breach notification laws don't apply to them", Moussouris said.
Once he became aware of the hack, Khosrowshahi reportedly sacked the company's chief security officer and one of his deputies for their roles in hiding the hack, as well as for making the payment.