The massive data breach at Uber that exposed the data of some 57 million accounts was the work of 20-year-old Florida man, who was paid by the ride-hailing company to destroy the information through its bug bounty program.
The revelation, which was uncovered by Reuters, is the latest mark against Uber as it struggles to move past its many controversies and reshape its toxic work culture.
Uber CEO Dara Khosrowshahi announced Nov 21. that personal data of riders and drivers in the U.S. had been stolen in a breach that occurred in October 2016. They paid a hacker $100,000 to destroy the information. Khosrowshahi fired two employees over the cover-up.
More from FORTUNE
The company never provided any information about the hacker or how he was paid. Sources told Reuters that former CEO Travis Kalanick, who stepped down in June, was aware of the data breach and the payment to the hacker.
Bug bounty programs are typically used to reward security researchers for finding vulnerabilities or flaws in software. It’s not practice to pay a hacker who has stolen data.
Uber uses HackerOne’s platform for its bug bounty program. HackerOne doesn’t manage Uber’s program.