Tag Archives: Exclusive
SAN FRANCISCO (Reuters) – When Tesla Inc announced last month a second round of job cuts to rein in costs, one crucial department was particularly badly hit. The automaker more than halved the division that delivers its electric vehicles to North American customers, two of the laid-off workers said.
FILE PHOTO: A Tesla logo is seen at a groundbreaking ceremony of Tesla Shanghai Gigafactory in Shanghai, China January 7, 2019. REUTERS/Aly Song/File Photo
Some 150 employees out of a team of about 230 were let go in January at the Las Vegas facility that gets tens of thousands of Model 3s into the hands of U.S. and Canadian buyers, they said, in a sign the company expected the pace of deliveries to significantly slow in the near term.
The cuts, which have not been previously reported, could fuel investor worries that demand for the Model 3 in the United States has tailed off after a large tax break for consumers expired last year and the car remains too expensive for most consumers.
Tesla has said its focus this quarter is on supplying cars to customers waiting in China and Europe.
“There are not enough deliveries,” one of the former employees told Reuters. “You don’t need a team because there are not that many cars coming through.”
Delivery of the Model 3 was the company’s key priority in the latter half of 2018, as Tesla tried to supply all buyers wanting the full benefit of the $ 7,500 U.S. tax credit before it was cut in half at year’s end.
The Model 3 is crucial to Tesla’s plans for long-term profitability. The company aims to post a profit in each quarter this year, based on the expectation that it will sell more Model 3s and continue to cut costs.
Tesla declined to comment on the job reductions in the delivery team. The company still has an undisclosed number of delivery personnel attached to other locations.
‘EVERY BEING ON THE PLANET’
Even before the paring back of the delivery team, investors questioned the level of demand for the Model 3 remaining after Tesla’s all-out push to supply buyers ahead of the tax credit cut.
“Given the need for revenue to cover costs and generate cash, the financial community should be focused on the level of demand for Tesla vehicles – in particular the Model 3,” wrote Barclays analyst Brian Johnson in January.
The two former delivery workers said the 2018 sales push has left Tesla’s reservations list plucked clean of North American buyers willing to pay current prices of over $ 40,000 to get their hands on a Model 3.
Chief Executive Elon Musk initially said in 2016 the car would start at $ 35,000 – which sparked a rush of reservations – but Tesla has yet to actually sell any cars at that price, despite two price cuts already this year.
“We sold through just about every car we had on the ground and we called almost every being on the planet who had ever expressed desire to own a Tesla to let them know the tax credit was expiring,” said the other ex-employee.
Tesla workers around the company were reassigned to pitch in, that source said.
“They said, ‘Your job is off the table now, we have to get these cars delivered. Because if we don’t get these cars delivered, you don’t have a job tomorrow,’” the former employee said.
HALF A MILLION BUYERS
At the Model 3 launch in July 2017, Musk said over half a million buyers had put down deposits on the new car. That helped send Tesla shares up almost 15 percent over the following six weeks.
The company delivered 145,610 Model 3s in 2018, but all of them at prices far above $ 35,000. Musk said last week a $ 35,000 version that could be sold profitably was perhaps six months away. Even with two price cuts this year, the lowest price tag on a Model 3 is now $ 42,900.
Musk maintains that Model 3 demand is “insanely high,” but his company has not released any figures to demonstrate that.
Asked about the reservations list last week by analysts, outgoing Chief Financial Officer Deepak Ahuja declined to disclose how many people remained, calling it “not relevant.”
Musk has said Tesla has multiple ways of stoking demand, if it chose to, such as offering leases or boosting marketing efforts.
The Model 3s now rolling out of Tesla’s Fremont, California, factory are going to Chinese and European buyers, Tesla says.
The two laid-off employees said delivery targets for North America – made up of mostly U.S. buyers – this quarter would be 55 percent to 60 percent of what they were in the last quarter of 2018.
If Tesla does not cut prices soon, it risks losing potential customers – and ones already on its reservation list – to a slew of German and Asian competitors whose electric vehicles will hit the U.S. market this year. Each of the new entrant’s first 200,000 buyers will be eligible for a full federal subsidy.
Having met that number already, the U.S. tax credit for Tesla buyers drops in half to $ 3,750 for the first six months of 2019, then falls by half again in the second six months.
Musk said last month his “rough guess” was that Tesla would begin building the $ 35,000 Model 3 in mid-2019.
One of the sources said that could recharge U.S. demand: “If there was a Model 3 for $ 35,000 that was still a really good car, that blows away the competition, I could see demand going through the roof.”
Reporting by Alexandria Sage in San Francisco; Editing by Greg Mitchell and Bill Rigby
U.S. President Donald Trump sits for an exclusive interview with Reuters journalists in the Oval Office at the White House in Washington, U.S. December 11, 2018. REUTERS/Jonathan Ernst
WASHINGTON (Reuters) – U.S. President Donald Trump said on Tuesday he would intervene in the Justice Department’s case against a top executive at China’s Huawei Technologies [HWT.UL] if it would serve national security interests or help close a trade deal with China.
Huawei’s Chief Financial Officer Meng Wanzhou was arrested in Canada Dec. 1 and has been accused by the United States of misleading multinational banks about Iran-linked transactions, putting the banks at risk of violating U.S. sanctions.
When asked if he would intervene with the Justice Department in her case, Trump said in an interview with Reuters: “Whatever’s good for this country, I would do.”
“If I think it’s good for what will be certainly the largest trade deal ever made – which is a very important thing – what’s good for national security – I would certainly intervene if I thought it was necessary,” Trump said.
A Canadian court on Tuesday granted Meng bail while she awaits a hearing for extradition to the United States, a move that could help placate Chinese officials angered by her arrest.
Trump also said the White House has spoken with the Justice Department about the case, as well as Chinese officials.
“They have not called me yet. They are talking to my people. But they have not called me yet,” he said when asked if he has spoken to Chinese President Xi Jinping about the case.
Reporting by Jeff Mason and Steve Holland; Editing by Bill Rigby
MOSCOW (Reuters) – U.S. sanctions targeting Russia’s nascent high tech industry have caused a Russian microchip company significant financial woes and delayed the launch of an initiative meant to produce substitutes for Western products, the firm’s owner said.
FILE PHOTO: Russian Prime Minister Dmitry Medvedev visits a plant of Russian microchip company Angstrem-T in Zelenograd near Moscow, Russia August 3, 2016. Sputnik/Dmitry Astakhov/Pool via REUTERS
President Vladimir Putin has stressed the need to develop Russia’s domestic tech industry to make it less dependent on Western equipment. But Moscow’s efforts to manufacture Russian microchips and other high tech products have been thwarted by U.S. sanctions against a string of Russian tech companies.
Angstrem-T, which makes semi-conductors, has accumulated significant debts and is set to be taken over by state development bank VEB after failing to reimburse an 815-million-euro ($ 944.75 million) loan dating back to 2008, said Leonid Reiman, chairman of the company’s board of directors.
Reiman, Russia’s former minister of communications and information technologies, said the company’s inability to reimburse its debt was in part tied to U.S. restrictions on the import of dual-use technologies and its addition to U.S. Treasury sanctions in 2016.
The U.S. moves were prompted by Russia’s annexation of Ukraine’s Crimean peninsula in 2014 and its support for separatist rebels in eastern Ukraine. It has imposed further sanctions against Russia since 2016 over other issues.
Prior to the sanctions Angstrem-T purchased most of its equipment from U.S. multinational firm Advanced Micro Devices and bought a license from IBM to produce chips.
The company is heavily reliant on U.S. products, but the sanctions now bar it from doing business with U.S. firms.
“Although we initially received the (U.S.) State Department’s consent for this project and the delivery of the technology here, the sanctions caused the deadlines for its completion to be drawn out,” Reiman told Reuters.
“The factory is working, the products are being produced, but the question of procurement remains.”
VEB, which Reiman said could become the majority owner of Angstrem-T by the end of the year, declined to comment.
When Angstrem-T began producing its first chips in 2016 after nearly a decade of false starts and delays, Prime Minister Dmitry Medvedev depicted the initiative as a way Russia could surmount already existing U.S. sanctions.
“It’s good that we are starting to produce these ourselves,” Medvedev said at the factory’s opening, a month before Angstrem-T itself was targeted by the U.S. sanctions. “It’s a question of import substitution.”
Reiman would not disclose the magnitude of Angstrem-T’s debt. According to a Russian database that aggregates company data, the firm had 87.4 billion roubles ($ 1.34 billion) in debt last year. During the same period it recorded revenues of 101 million roubles.
A source in the field of microelectronics in Russia said the sanctions and repeated delays in the project had caused Angstrem-T’s products to become outdated.
The market for the 90 and 130-nanometre microchips it produces has significantly shrunk in recent years, according to the source.
A draft Russian government roadmap for the development of the microchip industry seen by Reuters says that once VEB’s takeover is complete, Angstrem-T should shift its production to the more modern 28-nanometre chips.
Such chips are used in products made by companies like Apple, Samsung and Sony.
The ministry has for several years lobbied for Russia to build a modern microchip plant, but to no avail.
Reporting by Maria Kolomychenko; Writing by Gabrielle Tétrault-Farber; Editing by Gareth Jones
(Reuters) – The United States signed an agreement with ZTE Corp (000063.SZ) that paves the way for the Chinese tech company to resume operations after a nearly three-month old ban on doing business with American suppliers, the U.S. Commerce Department said on Wednesday.
The ban on China’s No. 2 telecommunications equipment maker will be removed once the company deposits $ 400 million in an escrow account, the Commerce Department said, which it can do now that Commerce officials signed an escrow agreement.
“Once ZTE has completed the $ 400 million escrow deposit,” the Commerce Department said in a statement, it will “issue a notice lifting the denial order.” ZTE did not immediately respond to a request for comment.
The escrow agreement is part of a $ 1.4 billion settlement ZTE reached with the U.S. Commerce Department last month to regain access to U.S. suppliers, whose components it relies on for its smart phones and networking gear.
The escrow account gives the United States an additional $ 400 million if ZTE violates the settlement. ZTE paid the $ 1 billion fine to the U.S. Treasury last month.
Once lifted, ZTE, which employs around 80,000 people, is expected to restart major operations, which would remove a sticking point within the broader U.S.-China trade war. The reprieve for ZTE coincides with a new Trump administration threat of 10 percent tariffs on $ 200 billion of Chinese goods.
In its statement, the Commerce Department said the ZTE action is a law enforcement matter unrelated to broader discussions of trade policy.
Reporting by Karen Freifeld; Editing by Cynthia Osterman
(Reuters) – Major technology and aerospace companies including Amazon.com Inc (AMZN.O), Intel Corp (INTC.O), Qualcomm Inc (QCOM.O), Raytheon Co (RTN.N) and Airbus SE (AIR.PA) are vying to take part in a new slate of drone tests the United States is set to announce on Wednesday, people familiar with the matter told Reuters.
The wide interest in the U.S. initiative, launched by President Donald Trump last year, underscores the desire of a broad range of companies to have a say in how the fledgling industry is regulated and ultimately win authority to operate drones for everything from package delivery to crop inspection.
The pilot program will allow a much larger range of tests than are generally permitted by federal aviation regulators, including flying drones at night, over people and beyond an operator’s line of sight.
The U.S. Transportation Department is set to announce 10 winning state, local or tribal governments to host the experiments out of 149 applicants. Secretary Elaine Chao will make the winners public on Wednesday. The governments in turn have partnered with companies who will play a role in the tests.
At least 200 companies applied as partners in the program, a U.S. official said.
Companies including Apple Inc (AAPL.O), Boeing Co (BA.N) and Ford Motor Co (F.N) have also expressed interest in the program, the sources said, though it was unclear whether they all had joined applications and what they would be testing.
Qualcomm confirmed it is on at least three applications, and Intel said it hopes to participate in the program. The other companies did not immediately answer requests for comment.
Changes to U.S. policy that result from the tests are not expected for some time. Package delivery, which can be particularly complex, might not take place until later on during the program.
Earl Lawrence, who directs the U.S. Federal Aviation Administration’s unmanned aircraft systems integration office, told a Senate panel on Tuesday that many of the other projects “could go forward under the FAA’s existing rules, including with waivers where appropriate.”
He said after “the 10 selections for the pilot program are announced, the FAA will be reaching out to other applicants, as well as interested state and local authorities, to provide additional information on how to operationalize their proposed projects.”
The FAA is also working on proposed regulations to ensure the safety of drones and their integration into U.S. airspace.
The initiative is significant for the United States, which has lagged other countries in drone operations for fear of air crashes. That had pushed companies like Amazon to experiment overseas.
In the United Kingdom, the world’s largest online retailer already sends some packages by drone. It completed its first such mission in late 2016, taking 13 minutes from click to delivery.
Reporting by Jeffrey Dastin in San Francisco and David Shepardson in Washington; Additional reporting by Stephen Nellis and Paul Lienert; editing by Chris Sanders and David Gregorio
MOSCOW/TORONTO (Reuters) – Moscow-based Kaspersky Lab plans to open a data center in Switzerland to address Western government concerns that Russia exploits its anti-virus software to spy on customers, according to internal documents seen by Reuters.
Kaspersky is setting up the center in response to actions in the United States, Britain and Lithuania last year to stop using the company’s products, according to the documents, which were confirmed by a person with direct knowledge of the matter.
The action is the latest effort by Kaspersky, a global leader in anti-virus software, to parry accusations by the U.S. government and others that the company spies on customers at the behest of Russian intelligence. The U.S. last year ordered civilian government agencies to remove the Kaspersky software from their networks.
Kaspersky has strongly rejected the accusations and filed a lawsuit against the U.S. ban.
The U.S. allegations were the “trigger” for setting up the Swiss data center, said the person familiar with Kapersky’s Switzerland plans, but not the only factor.
“The world is changing,” they said, speaking on condition of anonymity when discussing internal company business. “There is more balkanisation and protectionism.”
The person declined to provide further details on the new project, but added: “This is not just a PR stunt. We are really changing our R&D infrastructure.”
A Kaspersky spokeswoman declined to comment on the documents reviewed by Reuters.
In a statement, Kaspersky Lab said: “To further deliver on the promises of our Global Transparency Initiative, we are finalizing plans for the opening of the company’s first transparency center this year, which will be located in Europe.”
“We understand that during a time of geopolitical tension, mirrored by an increasingly complex cyber-threat landscape, people may have questions and we want to address them.”
Kaspersky Lab launched a campaign in October to dispel concerns about possible collusion with the Russian government by promising to let independent experts scrutinize its software for security vulnerabilities and “back doors” that governments could exploit to spy on its customers.
The company also said at the time that it would open “transparency centers” in Asia, Europe and the United States but did not provide details. The new Swiss facility is dubbed the Swiss Transparency Centre, according to the documents.
Work in Switzerland is due to begin “within weeks” and be completed by early 2020, said the person with knowledge of the matter.
The plans have been approved by Kaspersky Lab CEO and founder Eugene Kaspersky, who owns a majority of the privately held company, and will be announced publicly in the coming months, according to the source.
“Eugene is upset. He would rather spend the money elsewhere. But he knows this is necessary,” the person said.
It is possible the move could be derailed by the Russian security services, who might resist moving the data center outside of their jurisdiction, people familiar with Kaspersky and its relations with the government said.
Western security officials said Russia’s FSB Federal Security Service, successor to the Soviet-era KGB, exerts influence over Kaspersky management decisions, though the company has repeatedly denied those allegations.
The Swiss center will collect and analyze files identified as suspicious on the computers of tens of millions of Kaspersky customers in the United States and European Union, according to the documents reviewed by Reuters. Data from other customers will continue to be sent to a Moscow data center for review and analysis.
Files would only be transmitted from Switzerland to Moscow in cases when anomalies are detected that require manual review, the person said, adding that about 99.6 percent of such samples do not currently undergo this process.
A third party will review the center’s operations to make sure that all requests for such files are properly signed, stored and available for review by outsiders including foreign governments, the person said.
Moving operations to Switzerland will address concerns about laws that enable Russian security services to monitor data transmissions inside Russia and force companies to assist law enforcement agencies, according to the documents describing the plan.
The company will also move the department which builds its anti-virus software using code written in Moscow to Switzerland, the documents showed.
Kaspersky has received “solid support” from the Swiss government, said the source, who did not identify specific officials who have endorsed the plan.
Reporting by Jack Stubbs in Moscow and Jim Finkle in Toronto; Editing by Jonathan Weber
SAO PAULO (Reuters) – Amazon.com Inc (AMZN.O) is looking to lease a 50,000-square-meter warehouse just outside Sao Paulo, people familiar with the matter told Reuters, as it steps up its push into Latin America’s biggest retail market, Brazil.
The logistics investment, which would be four times the size of its current book-shipping operation in the country, is a sign the online retailer may soon handle distribution of electronics and other goods sold on its Brazilian website.
That would be the first step of its kind for Amazon in Latin America’s largest economy, where it currently relies on third parties to ship their own goods sold on its marketplace, and it underscores the seriousness of the e-commerce giant’s renewed push into Brazil.
Amazon declined to comment to questions about leasing a warehouse.
While an estimated two-thirds of Brazil’s 209 million people have internet access, online retail was slow to take off at first, amid concerns over security and complications with tax and logistics in the continent-sized country.
E-commerce accounts for around 5 percent of Brazil’s roughly $ 300 billion retail market — about half its share in the United States — but it has doubled in the past four years and is forecast to keep growing annually at a double-digit pace.
Now Amazon, which expanded its Brazil business from books to electronics in October, is gearing up to fight rivals such as Latin Ameria’s homegrown e-commerce champion Mercado Libre Inc (MELI.O) and B2w Cia Digital, (BTOW3.SA) which is indirectly controlled by partners of private equity group 3G Capital.
“You obviously can’t underestimate a company like Amazon,” said Pedro Guasti, CEO of Brazilian online consultancy Ebit. “It has huge capacity to invest and it’s obviously taking a bigger bite of the cake than it did last year.”
Mercado Libre Inc, B2w and local retailer Magazine Luiza SA (MGLU3.SA) have stolen a march on Amazon by storing and shipping goods appearing on their websites even when offered by third-party sellers, to ensure speed and customer satisfaction.
Amazon, by contrast, has been slow to tackle the challenges of shipping in a country where tricky logistics and tax issues have long made online retail an unprofitable venture.
In Mexico, Amazon launched its third-party marketplace coupled with its own shipping service, called “Fulfillment by Amazon,” in 2015.
The contrast has been stark. Nearly 20 percent of reviews on Amazon’s Brazilian marketplace are negative, compared with 10 percent in Mexico and just 4 percent in the United States, according to e-commerce analytics firm Marketplace Pulse.
Complaints in Brazil often focus on delayed or canceled orders – a problem dramatically reduced in other countries when Amazon itself packs and posts orders of third-party goods stored at its warehouse facilities.
In an early sign of Amazon’s Brazilian logistics push, the company posted more than a dozen listings for distribution jobs in the country to LinkedIn last year, including “Site leader, Fulfillment Center”.
The new warehouse site outside of Sao Paulo, in the municipality of Cajamar, looks to be a step in that direction.
There San Francisco-based logistics company Prologis Inc (PLD.N) has offered a 50,000-square-meter space to Amazon in a new industrial park that hosts DHL and Samsung, according to sources, who said adaptation of the warehouse had not begun.
Prologis, which also partnered with Amazon on a mega-warehouse north of Mexico city last year, declined to comment.
The preparations in Brazil come as Luft, the local logistics operator for Amazon’s book business, readies a move into another Prologis site nearby in Cajamar, sources said, leaving its current 12,000-square-meter facility in the city of Barueri.
Amazon registered in October to conduct operations in Cajamar, according to municipal records seen by Reuters.
The new logistics investment could spell trouble for rivals.
Mercado Libre has been a success story among Latin America tech start ups: its shares have nearly tripled since 2014, bringing its market capitalization to more than $ 15 billion.
Magazine Luiza’s stock has risen sixfold in each of the past two years as it shifted its rolled out an ambitious e-commerce strategy built on its brick and mortar stores.
Reporting by Gabriela Mello; Writing and additional reporting by Brad Haynes; Editing by Daniel Flynn and Alistair Bell
HONG KONG (Reuters) – China’s Ant Financial Services Group is planning to raise up to $ 5 billion in fresh equity that could value the online payments giant at more than $ 100 billion, people familiar with the move told Reuters.
A fundraising would bring Ant, in which e-commerce firm Alibaba Group Holding Ltd is taking a one-third stake, a step closer to a hotly anticipated initial public offering by establishing a more current valuation.
Ant’s last fundraising in 2016 valued the owner of Alipay, China’s top online payment platform, at about $ 60 billion. The new round should start with a valuation of between $ 80 billion to $ 100 billion, the people said.
Ant is currently in talks to appoint advisers for the fundraising which is expected to be launched in the next couple of months, they added.
Ant declined to comment on its fundraising plans. All the people spoke to Reuters on the condition they not be identified due to the sensitivity of the issue.
While no timetable for an IPO has been set, nor any location yet chosen, Ant’s plans are being viewed as a pre-IPO fundraising, the people said. A pre-IPO round is an increasingly common move by sought-after Chinese companies to establish valuations and widen their investor base ahead of going public.
It was not immediately clear how the company plans to use the fresh cash.
The exact timing and size of the fundraising still depends on investor feedback but any deal will add to an already hectic pace of domestic and offshore fundraising by Chinese tech firms that are looking to expand both at home and abroad.
Chinese e-commerce firm JD.com is raising funds for its logistics unit with a target of attracting at least $ 2 billion, while live-video streaming start-up Kuaishou is nearing the close of a $ 1 billion funding round, sources have said.
Ant’s own existing investments include stakes in Paytm, the Indian mobile payment and e-commerce website, and Thai financial technology firm Ascend Money.
Last month, however, Ant suffered a setback when a U.S. government panel rejected its $ 1.2 billion offer for money transfer company MoneyGram International over security concerns.
At home, in addition to its core online payments business, which Ant says has 520 million yearly users, the company also offers wealth management, credit scoring, micro lending and insurance services.
Last week, Alibaba announced it would take a 33 percent stake in Ant – replacing the current system where Alibaba receives 37.5 percent of Ant’s pre-tax profit – in what was viewed as an important step ahead of any IPO.
Alibaba set up Alipay in 2004, modeling the business on PayPal, to help Chinese buyers shop online, and later controversially spun it off ahead of its own listing in 2014. Jack Ma, Alibaba’s founder, controls Ant, according to Alibaba filings with the U.S Securities and Exchange Commission.
Ant is considered by some analysts as one of the most valuable Alibaba assets due to its unique position in Chinese e-commerce.
Current shareholders in Ant include large state-owned institutions such as China Life Insurance, China Post Group – parent of Postal Savings Bank of China – and a unit of China Development Bank.
Reporting by Sumeet Chatterjee and Julie Zhu; Additional reporting by Kane Wu; Editing by Muralikumar Anantharaman and Edwina Gibbs
WASHINGTON (Reuters) – The Federal Communications Commission plans to fine Sinclair Broadcasting Corp $ 13.3 million after it failed to properly disclose that paid programming that aired on local TV stations was sponsored by a cancer institute, three people briefed on the matter told Reuters.
The proposed fine, which covers about 1,700 spots including commercials that looked like news stories that aired during newscasts for the Utah-based Huntsman Cancer Institute over a six-month period in 2016, could bolster critics of Sinclair’s proposed $ 3.9 billion acquisition of Tribune Media Co.
Sinclair Broadcasting and a spokesman for the FCC declined to comment. Sinclair, which has told reporters previously the violations were unintentional, disclosed the investigation in financial filings.
Sinclair, which owns more than 170 U.S. television stations and is the largest U.S. operator, announced plans in May to acquire Tribune’s 42 TV stations in 33 markets as well as cable network WGN America and digital multicast network Antenna TV, extending its reach to 72 percent of American households. The FCC and Justice Department are reviewing Sinclair’s proposed acquisition of Tribune.
The proposed fine, which was approved by the five-member FCC earlier this week but has not yet been made public, is significant, officials said. The penalty represents an average fine of about $ 7,700 for each of the improperly aired spots but is significantly less than the maximum fine Sinclair could have faced under the law.
Sinclair will have the opportunity to respond to the proposed fine before it becomes final.
Reporting by David Shepardson; Editing by Nick Zieminski
SAN FRANCISCO/WASHINGTON (Reuters) – A 20-year-old Florida man was responsible for the large data breach at Uber Technologies Inc last year and was paid by Uber to destroy the data through a so-called “bug bounty” program normally used to identify small code vulnerabilities, three people familiar with the events have told Reuters.
Uber announced on Nov. 21 that the personal data of 57 million passengers and 600,000 drivers were stolen in a breach that occurred in October 2016, and that it paid the hacker $ 100,000 to destroy the information. But the company did not reveal any information about the hacker or how it paid him the money.
Uber made the payment last year through a program designed to reward security researchers who report flaws in a company’s software, these people said. Uber’s bug bounty service – as such a program is known in the industry – is hosted by a company called HackerOne, which offers its platform to a number of tech companies.
Reuters was unable to establish the identity of the hacker or another person who sources said helped him. Uber spokesman Matt Kallman declined to comment on the matter.
Newly appointed Uber Chief Executive Dara Khosrowshahi fired two of Uber’s top security officials when he announced the breach last month, saying the incident should have been disclosed to regulators at the time it was discovered, about a year before.
It remains unclear who made the final decision to authorize the payment to the hacker and to keep the breach secret, though the sources said then-CEO Travis Kalanick was aware of the breach and bug bounty payment in November of last year.
Kalanick, who stepped down as Uber CEO in June, declined to comment on the matter, according to his spokesman.
A payment of $ 100,000 through a bug bounty program would be extremely unusual, with one former HackerOne executive saying it would represent an “all-time record.” Security professionals said rewarding a hacker who had stolen data also would be well outside the normal rules of a bounty program, where payments are typically in the $ 5,000 to $ 10,000 range.
HackerOne hosts Uber’s bug bounty program but does not manage it, and plays no role in deciding whether payouts are appropriate or how large they should be.
HackerOne CEO Marten Mickos said he could not discuss an individual customer’s programs. “In all cases when a bug bounty award is processed through HackerOne, we receive identifying information of the recipient in the form of an IRS W-9 or W-8BEN form before payment of the award can be made,” he said, referring to U.S. Internal Revenue Service forms.
According to two of the sources, Uber made the payment to confirm the hacker’s identity and have him sign a nondisclosure agreement to deter further wrongdoing. Uber also conducted a forensic analysis of the hacker’s machine to make sure the data had been purged, the sources said.
One source described the hacker as “living with his mom in a small home trying to help pay the bills,” adding that members of Uber’s security team did not want to pursue prosecution of an individual who did not appear to pose a further threat.
The Florida hacker paid a second person for services that involved accessing GitHub, a site widely used by programmers to store their code, to obtain credentials for access to Uber data stored elsewhere, one of the sources said.
GitHub said the attack did not involve a failure of its security systems. “Our recommendation is to never store access tokens, passwords, or other authentication or encryption keys in the code,” that company said in a statement.
‘SHOUT IT FROM THE ROOFTOPS’
Uber received an email last year from an anonymous person demanding money in exchange for user data, and the message was forwarded to the company’s bug bounty team in what was described as Uber’s routine practice for such solicitations, according to three sources familiar with the matter.
Bug bounty programs are designed mainly to give security researchers an incentive to report weaknesses they uncover in a company’s software. But complicated scenarios can emerge when dealing with hackers who obtain information illegally or seek a ransom.
Some companies choose not to report more aggressive intrusions to authorities on the grounds that it can be easier and more effective to negotiate directly with hackers in order to limit any harm to customers.
Uber’s $ 100,000 payout and silence on the matter at the time was extraordinary under such a program, according to Luta Security founder Katie Moussouris, a former HackerOne executive.
“If it had been a legitimate bug bounty, it would have been ideal for everyone involved to shout it from the rooftops,” Moussouris said.
Uber’s failure to report the breach to regulators, even though it may have felt it had dealt with the problem, was an error, according to people inside and outside the company who spoke to Reuters.
“The creation of a bug bounty program doesn’t allow Uber, their bounty service provider, or any other company the ability to decide that breach notification laws don’t apply to them,” Moussouris said.
Uber fired its chief security officer, Joe Sullivan, and a deputy, attorney Craig Clark, over their roles in the incident.
“None of this should have happened, and I will not make excuses for it,” Khosrowshahi, said in a blog post announcing the hack last month.
Clark worked directly for Sullivan but also reported to Uber’s legal and privacy team, according to three people familiar with the arrangement. It is unclear whether Clark informed Uber’s legal department, which typically handled disclosure issues.
Sullivan and Clark did not respond to requests for comment.
In an August interview with Reuters, Sullivan, a former prosecutor and Facebook Inc (FB.O) security chief, said he integrated security engineers and developers at Uber “with our lawyers and our public policy team who know what regulators care about.”
Last week, three more top managers in Uber’s security unit resigned. One of them, physical security chief Jeff Jones, later told others he would have left anyway, sources told Reuters. Another of the three, senior security engineer Prithvi Rai, later agreed to stay in a new role.
Reporting by Joseph Menn in San Francisco and Dustin Volz in Washington; Additional reporting by Heather Somerville and Stephen Nellis in San Francisco; Editing by Jonathan Weber and Bill Rigby