IoT and cloud-enabled networked devices maker Ubiquiti massively downplayed a “catastrophic” cyber incident in January to minimize the impact on its stock price and falsely blamed the incident on a "third-party cloud provider" to hide the real impact of the breach.
In January this year, Ubiquiti, which offers cloud-enabled IoT devices such as routers, network video recorders, and security cameras, disclosed a security breach in an email to affected customers, stating that hackers had obtained “unauthorized access to certain of our information technology systems hosted by a third party cloud provider.”
The company said then that even though IT systems hosted by the cloud provider was accessed by unknown entities, it did not find any evidence of access to any databases that hosted user data. Nevertheless, it advised all users to change their passwords and enable two-factor authentication on their Ubiquiti accounts.
However, according to a security professional at Ubiquiti who helped the company respond to the security incident in December, Ubiquiti “massively downplayed a catastrophic incident to minimize the hit to its stock price, and that the third-party cloud provider's claim was a fabrication.”
The security professional, who spoke on condition of anonymity, told KrebsonSecurity that he raised his concerns with both Ubiquiti’s whistleblower hotline and with European data protection authorities before deciding to get in touch with Krebs.
“It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers. The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk,” he wrote in a letter to the European Data Protection Supervisor.
The Uniquiti employee also told KrebsOnSecurity that hackers gained full access to Ubiquiti databases hosted by Amazon Web Services (AWS), the unnamed “third party” involved in the breach. “Ubiquiti’s breach disclosure was “downplayed and purposefully written to imply that a 3rd party cloud vendor was at risk and that Ubiquiti was merely a casualty of that, instead of the target of the attack,” he added. Ubiquiti has not commented on the allegations yet.
While the allegations are yet to be investigated by data protection authorities, the security professional's claims bring back memories of Uber's actions in the aftermath of a massive data breach the ride-hailing company suffered in 2016.
Between October and November 2016, two hackers accessed the login credentials for one of Uber's Amazon Web Services servers and using these credentials, accessed a huge database that contained personal information of thousands of registered Uber drivers as well as 57 million customers.
In order to hide the said breach, Uber paid a $100,000 ransom to the two individuals and chose to brush the incident under the carpet. However, in November 2017, the company's new CEO Dara Khosrowshahi decided to come clean and announced the scale of the breach to the public.
Subsequently, the ICO issued a fine of £385,000 to Uber under the Data Protection Act, 1998 for failing to safeguard the personal information of around 2.7 million UK customers, including 82,000 drivers, and for not informing affected customers about the incident.
Commenting on the allegations against Ubiquiti's conduct in the aftermath of a data breach, Richard Hughes, Head of Technical Cyber Security at A&O IT Group, told Teiss, “The statement from a whistleblower that Ubiquiti Networks downplayed a cyber attack risking the security and potentially safety of their clients to protect their stock value is deeply concerning and if proven true, must be met with the most severe penalties to serve as an example to other organisations that this is not acceptable behaviour.
“When faced with cybersecurity risk it is important to act quickly to remediate issues and protect your environment, but Ubiquiti customers may not have been afforded this option if these claims are true. It is not clear if the whistleblower has provided any evidence to back the claims and so it is impossible to draw any conclusions at this time as to the validity of this claim.
“Some organisations will find it acceptable to prioritise their interests ahead of those of their customers, but this is ill-advised. This behaviour is at best unethical and in many cases illegal and has the potential to do far more damage to the reputation and therefore the stock value of an organisation than open and honest disclosure,” he added.
According to multimedia financial-services company The Motley Fool, Ubiquiti's stock value fell more than 10% on Wednesday following the publication of the allegations by KrebsOnSecurity. "It is far too early to say exactly what happened with Ubiquiti or what the long-term impact on the business will be, but the whistleblower allegations clearly add to the risks associated with the company, and the stock is reacting to that added risk on Wednesday," it said.