(Bloomberg) --Uber’s information security chief, John Flynn, defended the company’s practice of paying hackers to find security flaws as he faced lawmakers over a data breach in 2016 where hackers stole the personal information from 57 million people.
“Uber’s bug bounty program unquestionably has increased the scale and speed at which we are able to identify and eliminate cybersecurity threats,” Flynn told members of the U.S. Senate subcommittee on consumer protection, product safety, insurance, and data security, in prepared remarks.
Uber Technologies Inc. paid about $1.3 million to hundreds of independent hackers to find flaws in the ride-hailing startup’s digital security systems, Flynn told the panel Tuesday.
Uber was called to Washington to discuss the October 2016 data breach that the company concealed for more than a year. In the incident, which Bloomberg News reported in November, hackers stole the personal data of customers and drivers and the company paid them $100,000 to delete it and keep the breach quiet.
Uber initially classified the hack as part of its existing bug bounty program and did not disclose it to the public or regulators. In his testimony, Flynn acknowledged that the incident was notably different from a typical bug bounty since the hackers had downloaded sensitive information rather than simply alert Uber about the vulnerability. Flynn said the breach should have been disclosed.
“The fact that the company took approximately a year to notify impacted users raises red flags within this committee as to what systemic issues prevented such time-sensitive information from being made available to those left vulnerable,” Chairman Jerry Moran, a Republican senator from Kansas, said at the start of the hearing.
The compromised data included names, phone numbers, and email addresses of 50 million Uber riders around the world and personal information of about 7 million drivers including some 600,000 U.S. driver’s license numbers. No Social Security numbers, credit card information, trip location details or other data were taken, Uber said in November.
Flynn acknowledged that the incident revealed the pitfalls of working with hackers to identify security risks and said it unfolded in a way that was a departure from the traditional bug bounty program.
“The intruders not only found a weakness, they also exploited the vulnerability in a malicious fashion to access and download data,” Flynn said.
After anonymously notifying Uber of the breach, the hackers asked for a six-figure payout. Flynn said the money was doled out with help from HackerOne, a security firm started by hackers and security professionals.
Uber ousted its chief security officer and one of his deputies for their role in concealing the data theft. Flynn said the company regretted that ride-hailing service didn’t publicly report the incident earlier.
Since launching the bug bounty program almost three years ago, Uber has worked with more than 500 outside experts and resolved more than 800 system vulnerabilities, Flynn said.