back to article Ubiquiti dev charged with knocking $4bn off firm's value after insider threat spree

A Ubiquiti developer has been charged with stealing data from the company and extortion attempts totalling $2m in what prosecutors claim was a vicious campaign to harm the firm's share price – including allegedly planting fake press stories about the breaches. US federal prosecutors claimed that 36-year-old Nickolas Sharp had …

  1. ecarlseen

    Either way, this is an indictment of Ubiquiti

    Even if all of these allegations are true, I'm not sure if this makes Ubiquiti come out looking better or worse. If one person can cause this much infrastructure-level damage, what does it say about their infrastructure security architecture and overall commitment to security?

    One of the reasons I've been sharply critical about the mass-centralization of vital data is that it increases the value of a security breach to obscene levels. Even if an inside threat isn't inherently malicious, what about blackmail, extortion, etc.? There are many parts of the world where grabbing somebody's family and cutting off parts until compliance is reached is not exactly out of the question. I would never blame that person for complying. And if the value of a large-scale breach of, say, Google or Microsoft's cloud-hosted workspaces is in the hundreds of millions or even billions of dollars / Euros / pounds, how do you even defend against some group with the budget and discipline to make a serious, no-holds-barred attempt at that? With the current state of international relations, can we even rule out governments (including the "civilized Western" ones) if they're not in it for profit, just creating mass damage?

    Our industry has had many bad experiences caused by the technological equivelants of biological monoculture, and instead of learning from these it seems to be betting harder and harder on this.

    Even before information technology, there was an adage about putting all of your eggs in one basket.

    1. ecofeco Silver badge

      Re: Either way, this is an indictment of Ubiquiti

      "Even before information technology, there was an adage about putting all of your eggs in one basket."

      This. ^^

    2. Throatwarbler Mangrove Silver badge
      Meh

      Re: Either way, this is an indictment of Ubiquiti

      Technically, no significant damage was done. Data was exfiltrated . . . to an employee's computer. The real damage done was by the claim to the press that there was a more significant data breach than actually occurred, which shows how vulnerable companies are to the mere appearance of data loss. It sounds like Ubiquiti tried to do the right thing, ethically speaking, and were punished by the market as a result.

      1. ecarlseen

        Re: Either way, this is an indictment of Ubiquiti

        Customers (and Ubiquiti, for that matter) had no way of knowing the difference and had to react accordingly. "No significant damage was done" only if you assume this costs nothing.

        We must deal with information that we are given. We then evaluate the credibility vs. the costs / benefits of reacting. In this case, the most reasonable response was to react as if the information was true.

        The problem is that Ubiquiti made themselves custodians of data whose security was absolutely vital and wound up in a position (due to decisions they made) where they could not determine the security of that data.

        In fairness, this is an extremely difficult problem to tackle well. But if a company is making that commitment on a large scale, then they need to be able to deliver on that commitment. Ubiquiti failed catestrophically.

      2. Trigonoceps occipitalis Silver badge

        Re: Either way, this is an indictment of Ubiquiti

        @Throatwarbler Mangrove

        "no significant damage was done"

        "false claims about the company wrongly downplaying the attack's severity, wiping $4bn off its market capitalisation"

        Look for anyone short selling!

    3. This post has been deleted by its author

  2. Anonymous Coward
    Anonymous Coward

    Devs...its shit like this that causes sysadmins to not want to give you admin rights along with:

    1. Installing random shitty tools from Sourceforge.

    2. Installing libraries and dependencies without checking the supply chain for typos and the dependency file for typos etc.

    3. You aren't real techies.

  3. You aint sin me, roit Silver badge
    Holmes

    Word to the wise...

    When extorting people don't rely on the security of a Surfshark VPN, apparently it has a habit of dropping out revealing your true IP address...

    I wonder what this will do to their share price.... oooo look, 83% off VPN deal ;)

    1. ICam

      Re: Word to the wise...

      That's a good point, although I came here to say that the now ex-Ubiquiti dev can't have been that good at his job if he failed so badly to cover his IP tracks.

      If you're going to attempt to extort your employer for ~USD$2m, it pays to be a lot more careful than this person apparently was.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022