CISO Says Characterizing Payoff as Bug Bounty Was Wrong
Hindsight, as they say, is 20/20. The axiom has never been truer than for postmortems into data breach responses.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
Uber, the controversial ride-sharing company, arguably set the lowest bar after it waited a year before disclosing that hackers accessed 57 million accounts of its riders and drivers around October 2016. The breach was first disclosed in November 2017 (see Uber Concealed Breach of 57 Million Accounts for a Year).
It later emerged that Uber paid $100,000 through bug-bounty program HackerOne to the two men who discovered the leak. But the payment was positioned as a bug bounty even though the finders made extortion-like demands.
On Tuesday, Uber CISO John Flynn testified before the U.S. Senate Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security. Flynn told senators that the company should have notified the public sooner about the breach, and that paying off the hackers was wrong.
“We recognize that the bug bounty program was not appropriate vehicle for dealing with intruders who seek to extort funds from the company,” Flynn said. “While the incident remains under investigation by the company and others, I echo statements by Uber’s new leadership that it was wrong to not disclose the breach earlier.”
Bridging Bug Gaps
Bug bounty programs have helped bridge an uncomfortable gap: those who find software vulnerabilities in applications but don’t work for the particular vendor.
The bounties incentivize vulnerability hunters to turn over their findings so a patch can be developed rather than release the information publicly, which can put users at risk.
Uber launched its bug bounty program through HackerOne in 2015. HackerOne CEO Marten Mickos told the committee that 63,000 vulnerabilities have been found and fixed using his company’s platform.
HackerOne contracts with organizations to run structured bug bounty programs with researchers. The average payout for a vulnerability is $500, and the maximum bounty from one company that uses HackerOne is now $250,000, Mickos said.
“No other method has been shown to produce similar results with such favorable economics,” Mickos testified.
Mickos said he could not discuss the Uber situation, as legal proceedings remain underway.
Flynn told the committee that Uber received an anonymous email on Nov. 14, 2016, saying data had been leaked and demanding a six-figure payment.
Uber confirmed the data was legitimate. The source was a back-up file stored on Amazon’s S3 storage service. The credentials to access the storage bucket had been left on GitHub, the web-based code sharing and development platform.
The data included 25 million Uber users in the U.S., of which 4.1 million were drivers. For the driver accounts, 600,000 contained the license numbers. Nearly all of the data sets including names, email addresses and phone numbers. For some users, Uber ID and location data was leaked, along with tokens or hashed and salted passwords.
Eventually, Flynn said the company figured out one person in Florida had accessed the data, and the person who contacted Uber lived in Canada. Uber paid the two $100,000 after receiving assurances from the two individuals that the data would be destroyed.
“Our primary goal in paying the intruders was to protect our consumers’ data,” Flynn said. “This was not done in a way that is consistent with the way our bounty program normally operates, however. In my view, the key distinction regarding this incident is that the intruders not only found a weakness, they also exploited the vulnerability in a malicious fashion to access and download data.”
U.S. Sen. Jerry Moran, R-Kan., chairman of the committee, pressed Flynn on how Uber justified not notifying consumers more quickly, after discovering the breach.
Flynn responded: “Senator, there’s no justification for that.”
Uber is facing a variety of investigations from regulators in the United Sates, United Kingdom, Australia and the Philippines. In the United States, several state attorneys general have probes underway, including Illinois, New York, Connecticut and Massachusetts. Forty-eight states have mandatory breach notification laws, but there is no federal law.
During questioning by U.S. Sen. Richard Blumenthal, D-Conn., Flynn said that one mistake Uber made was not having right legal representatives around when it was trying to determine if the company was bound to any breach notification requirements.
Flynn added that Uber is in the process of updating its policies and guidance to ensure that bug bounties aren’t a negotiable item. HackerOne’s Mickos says paying extortion demands using HackerOne is forbidden.