Inside Uber's eventual $100,000 payment to a hacker, and the fallout

The hacking is now the subject of at least four lawsuits, with attorneys general in five states investigating whether Uber broke laws on data-breach notifications

“Hello Joe,” read the November 2016 email from someone identifying himself as “John Doughs.” “I have found a major vulnerability in Uber.”
 

The email appeared to be no different from other messages that Joe Sullivan, Uber’s chief security officer, and his team routinely received through the company’s “bug bounty” programme, which pays hackers for reporting holes in the ride-hailing service’s systems, according to current and former Uber security employees.

Yet the note and Uber’s eventual $100,000 payment to the hacker, which was initially celebrated internally as a rare win in corporate security, have since turned into a public relations debacle for