Uber revealed last month that it paid a hacker $100,000 to keep quiet about the fact that he stole personal data on 57 million users. Now, details about the hacker’s identity are starting to come out—he is a 20-year-old from Florida who lives with his mother and wanted to help pay the bills, Reuters reports.
The payment was funneled to the hacker through Uber’s bug bounty program, which invites hackers to find vulnerabilities in pre-determined systems in exchange for cash. However, those payments usually max out in the tens of thousands of dollars—making the $100,000 payment particularly unusual.
The hacker wasn’t a participant in the bug bounty program, Reuters reported, and instead emailed the company demanding money. Uber directed him into the bug bounty program and used the process to uncover the hacker’s identity. The company then convinced him to delete the stolen data and sign a non-disclosure agreement about the incident.
Uber fired its chief security executive, Joe Sullivan, and another executive, Craig Clark, for their involvement in the arrangement with the hacker. “None of this should have happened, and I will not make excuses for it,” Uber’s CEO Dara Khosrowshahi said in a statement last month.
Several states and cities have sued the company, claiming it violated local breach disclosure laws by not publicly revealing the breach. Uber settled with the Federal Trade Commission earlier this year over a 2014 data breach, and agreed to 20 years of privacy audits as part of that settlement.