The ride-sharing company announced that it had sustained a hack in late November, but the hack had actually occurred about a year earlier. The company did not say how it paid the hacker nor has it revealed any identifiable information about the person.
Three people familiar with the payments told Reuters in a new report that the payment was made through Uber's bug bounty program, which is essentially a way for companies to pay people to find flaws in their software systems.
While most payments are around $5,000 to $10,000, the hacker reaped far more fruits from this harvest.
Paying a hacker through the bug bounty is generally in violation of the rules of normal bounty, according to cybersecurity professionals. But it makes sense if you want to cover up the fact that a hack actually occurred.
"The creation of a bug country program doesn't allow Uber, their bounty service providers, or any other company the ability to decide that breach notification laws don't apply to them," according to Katie Moussouris, founder of Luta Security.
Uber Chief Executive Dara Khosrowshahi said "none of this should have happened" when announcing the breach in November. At the time of the breach, scandal-plagued former Uber executive Travis Kalanick was running the company. Kalanick resigned in June at the request of investors.
In early 2017, Kalanick was accused of sexually harassing an engineer who used to work for him.