Uber says hackers behind data breach were in Canada, Florida

The two people behind a 2016 data breach at Uber Technologies Inc. were found to be in Canada and Florida, an Uber cyber security executive told the U.S. Congress on Tuesday.

About 25 million users affected by the breach are users located in the United States, John Flynn, chief information security officer at Uber, said in written testimony to a Senate Commerce Committee panel.

Uber announced the breach of 57 million worldwide users last November. Of those impacted in the United States, 4.1 million were drivers, according to the testimony.

Uber Canada announced late last year that 815,000 Canadian riders and drivers may have been affected.

The testimony from Flynn is the most comprehensive public account to date of the Uber hack, the handling of which prompted newly appointed Uberchief executive Dara Khosrowshahi to fire two of the company's top security officials.

'Bug bounty' program

Reuters reported in December that a 20-year-old man was primarily behind the massive data breach, and that he was paid by Uber to destroy the data through a so-called "bug bounty" program normally used to identify small code vulnerabilities.

Flynn confirmed the man who obtained data from Uber was in Florida and that his partner, who first contacted the company on Nov. 14, 2016, to demand a six-figure payment, was located in Canada.

The company's security team made contact with both people and received assurances the pilfered data had been destroyed before paying the intruders $100,000, Flynn said.

The fact that the company took approximately a year to notify impacted users raises red flags within this committee as to what systemic issues prevented such time-sensitive information from being made available to those left vulnerable,- Republican Sen. Jerry Moran

Uber has received criticism for its handling of the breach, and lawmakers in both parties on Tuesday piled on with several admonishments.

"The fact that the company took approximately a year to notify impacted users raises red flags within this committee as to what systemic issues prevented such time-sensitive information from being made available to those left vulnerable,"Republican Sen. Jerry Moran said.

Flynn repeatedly acknowledged Uber had made mistakes and that it should not have not used the company's bug bounty service designed to reward security researchers who report flaws found in a company's software to negotiate with a hacker seeking to extort money.

"We made a misstep in not reporting to consumers, and we made a misstep in not reporting to law enforcement," he said.

The compromised data included names, phone numbers and email addresses but not Social Security numbers or credit card information. The driver's license numbers of 600,000 drivers were also compromised.