A new report from Reuters says that a Florida man, 20, was behind the massive hack. The pilfered data included personal information such as names, email addresses and driver's license numbers, but not Social Security numbers and credit card information, the company said.
The payment was funnelled to the hacker through Uber's bug bounty program, which invites hackers to find vulnerabilities in pre-determined systems in exchange for cash.
The ride-hailing app paid the man, whose identity is still unknown, and an anonymous accomplice to delete the data through a "bug bounty" programme, according to Reuters.
According to three unnamed sources, as reported by Reuters, a 20-year-old was responsible for the catastrophic data breach, rather than a sophisticated group or state-sponsored team.
The man is "living with his mom in a small home trying to help pay the bills", a person close to the matter told Reuters. "None of this should have happened, and I will not make excuses for it", Uber's CEO Dara Khosrowshahi said in a statement last month.
Swearing in unofficial president is 'treason', Kenya attorney general says
Kenya's Attorney General Githu Muigai said on Thursday that any attempt to hold a parallel swearing in of a president would amount to treason. .
Uber spokesman Matt Kallman declined to comment to Reuters. A former executive at the firm, Katie Moussouris, said that such a high payment would have been an "all-time record".
The hacker further paid a second person who offered his services in accessing GitHub to obtain credentials for accessing Uber's data.
In addition, most rewards - even for the most critical issues - rarely earn bug bounty hunters such an amount.
It remains unclear who made the final decision to authorise the payment to the hacker and to keep the breach secret, though the sources said then-CEO Travis Kalanick was aware of the breach and bug bounty payment in November 2016. Uber directed him into the bug bounty program and used the process to uncover the hacker's identity. Uber is also believed to have conducted a forensic analysis of the hacker's computer to make sure that all data on the company had been wiped.
Moussouris added that the failure to report the breach was a grievous error: "The creation of a bug bounty program doesn't allow Uber, their bounty service provider or any other company the ability to decide that breach notification laws don't apply to them".