The two individuals responsible for hacking Uber’s data in 2016 were in Canada and Florida at the time, the ride-hailing firm’s security executive told US congressional committee on Tuesday, according to a Reuters report.
According to Uber Technologies’ chief information security officer John Flynn’s written testimony to a Senate Commerce Committee panel, about 25 million people whose data was compromised in the breach live in the United States.
Of those, 4.1 million were drivers, said Flynn, whose testimony described new details about the hack, the handling of which prompted recently appointed Uber chief executive officer Dara Khosrowshahi to fire two top security officials.
Uber revealed the breach of 57 million global users in November 2017, about a year after it took place.
A Reuters report in December said that a 20-year-old man was primarily behind the breach, and that he was paid by Uber to destroy the data through a so-called “bug bounty” program, which is designed to reward researchers for uncovering security vulnerabilities.
Reuters further added that Flynn confirmed the man who obtained data from Uber was in Florida and revealed that his partner, who first contacted the company on Nov. 14, 2016, to demand a six-figure payment, was in Canada.
According to Flynn, Uber’s security team contacted both people and received “assurances” the pilfered data had been destroyed before paying them $100,000.
Flynn said Uber had made mistakes, including paying the hackers through its “bug bounty” program.
“We made a misstep in not reporting to consumers, and we made a misstep in not reporting to law enforcement,” Flynn said to a Senate panel.
Hackers had accessed data which included names, email addresses and phone numbers of 50 million Uber riders around the world.