Ubiquiti confirms it was the target of an extortion attempt, but nothing more
Networking equipment and IoT device vendor Ubiquiti Networks released a statement late last night confirming some of the details exposed earlier this week by a whistleblower related to a 2020 data breach, but avoided confirming others.
The updated statement, posted on the company’s support forum, comes to expand on a vague data breach notification email the company sent users on January 11, 2021.
At the time, Ubiquiti said it learned of unauthorized access to its cloud-based systems and urged UI.com users to change their passwords.
Earlier this week, a whistleblower involved in the data breach investigation leaked a copy of a letter they sent to European data protection authorities to the press, accusing Ubiquiti of covering up the severity of the intrusion.
According to the whistleblower, the hacker breached Ubiquiti’s Amazon Web Services (AWS) account in December 2020 and proceeded to download the company’s source code, install malware, and access customer data.
When Ubiquiti learned of the intrusion and removed one of the attacker’s backdoors, the hacker demanded a 50 bitcoin ransom demand to reveal the location of a second backdoor, stay quiet about the security breach, and not leak source code they stole from Ubiquiti’s network.
Yesterday, after two days of staying quiet on the subject, Ubiquiti finally issued a formal statement confirming the extortion demand but nothing else.
Despite the whistleblower’s claims describing a broad intrusion where the hacker had access to everything, the company stood fast on its assessment that it did not find any evidence that customer information was accessed or even targeted.
It also did not confirm that source code was stolen.
Furthermore, Ubiquiti’s statement doesn’t address the whistleblower’s other major claim — that the company had no logging system in place and it wouldn’t even be able to determine what the hacker accessed.
Worries that the hacker might have stolen certificates and files that could allow them to access the Ubiquiti customer devices were also not discussed.
The only meaningful statement the company provided was that they now have “well-developed evidence that the perpetrator is an individual with intricate knowledge of [its] cloud infrastructure.”
The statement, which many security experts described on Twitter as disingenuous and “lawyered up,” did not address any of the issues pressing the company’s customers.
As it currently stands, Ubiquiti continues to downplay an incident that may end up irreparably damaging its reputation as a trusted networking device provider in a market flooded by competitors.
Furthermore, the Ubiquiti breach may also end up becoming one of the prime examples of how not to handle a data breach disclosure, and — just like in the case of Equifax, Yahoo, and Marriott— may end up dragging the company’s leadership in front of a few US government hearings.