(Rewrites throughout, adds senator’s comment on delayed disclosure)
By Dustin Volz
WASHINGTON, Feb 6 (Reuters) - The two people who hacked ride-hailing firm Uber’s data in 2016 were in Canada and Florida at the time, a company security executive told a U.S. congressional committee on Tuesday.
About 25 million people whose data was compromised in the breach live in the United States, Uber Technologies Inc chief information security officer John Flynn said in written testimony to a Senate Commerce Committee panel.
Of those, 4.1 million were drivers, said Flynn, whose testimony described new details about the hack, the handling of which prompted newly appointed Uber Chief Executive Officer Dara Khosrowshahi to fire two top security officials.
Uber disclosed the breach of 57 million worldwide users in November, about a year after it occurred.
Reuters reported in December that a 20-year-old man was primarily behind the breach, and that he was paid by Uber to destroy the data through a so-called “bug bounty” program, which is designed to reward researchers for uncovering security vulnerabilities.
Flynn confirmed the man who obtained data from Uber was in Florida and revealed that his partner, who first contacted the company on Nov. 14, 2016, to demand a six-figure payment, was in Canada.
Uber’s security team made contact with both people and received “assurances” the pilfered data had been destroyed before paying them $100,000, Flynn said. Sources familiar with the breach told Reuters in December the company did a forensic analysis of the Florida hacker’s computer to verify the deletions.
A Canadian Royal Canadian Mounted Police representative said she had no immediate comment on the case.
Flynn said Uber had made mistakes, including paying the hackers through its “bug bounty” program.
“We made a misstep in not reporting to consumers, and we made a misstep in not reporting to law enforcement,” Flynn said.
Republican and Democratic lawmakers admonished Uber for its delay in disclosing the breach.
“The fact that the company took approximately a year to notify impacted users raises red flags within this committee as to what systemic issues prevented such time-sensitive information from being made available to those left vulnerable,” Republican Jerry Moran said.
Democratic Senator Richard Blumenthal said Uber’s management of the hack was “morally wrong and legally reprehensible,” and that the company appeared to violate state rules for data breach disclosure.
Compromised data includes names, phone numbers and email addresses but not Social Security numbers or credit card information of Uber users. Driver’s license numbers of 600,000 drivers were also compromised. (Reporting by Dustin Volz and Jim Finkle; Editing by Alistair Bell and Grant McCool)