Ex-Ubiquiti Engineer Behind 'Breathtaking' Data Theft Gets 6-Year Prison Term (arstechnica.com) 22
An anonymous reader quotes a report from Ars Technica: An ex-Ubiquiti engineer, Nickolas Sharp, was sentenced to six years in prison yesterday after pleading guilty in a New York court to stealing tens of gigabytes of confidential data, demanding a $1.9 million ransom from his former employer, and then publishing the data publicly when his demands were refused. Sharp had asked for no prison time, telling United States District Judge Katherine Polk Failla that the cyberattack was actually an "unsanctioned security drill" that left Ubiquiti "a safer place for itself and for its clients," Bloomberg reported. In a court document (PDF), Sharp claimed that Ubiquiti CEO Robert Pera had prevented Sharp from "resolving outstanding security issues," and Sharp told the judge that this led to an "idiotic hyperfixation" on fixing those security flaws.
However, even if that was Sharp's true motivation, Failla did not accept his justification of his crimes, which include wire fraud, intentionally damaging protected computers, and lying to the FBI. "It was not up to Mr. Sharp to play God in this circumstance," Failla said. US attorney for the Southern District of New York, Damian Williams, argued (PDF) that Sharp was not a "cybersecurity vigilante" but an "inveterate liar and data thief" who was "presenting a contrived deception to the Court that this entire offense was somehow just a misguided security drill." Williams said that Sharp made "dozens, if not hundreds, of criminal decisions" and even implicated innocent co-workers to "divert suspicion." Sharp also had already admitted in pre-sentencing that the cyber attack was planned for "financial gain." Williams said Sharp did it seemingly out of "pure greed" and ego because Sharp "felt mistreated" -- overworked and underpaid -- by the IT company, Williams said.
Court documents show that Ubiquiti spent "well over $1.5 million dollars and hundreds of hours of employee and consultant time" trying to remediate what Williams described as Sharp's "breathtaking" theft. But the company lost much more than that when Sharp attempted to conceal his crimes -- posing as a whistleblower, planting false media reports, and contacting US and foreign regulators to investigate Ubiquiti's alleged downplaying of the data breach. Within a single day after Sharp planted false reports, stocks plummeted, causing Ubiquiti to lose over $4 billion in market capitalization value, court documents show. Williams had pushed the court to impose a sentence between eight to 10 years, arguing that anything less would be perceived by the public as a "slap on the wrist." Sharp's six-year term is slightly less than that, but in a press release, Williams described the sentence as imposing "serious penalties" for Sharp's "callous crimes." "He was disgruntled at his employer, planning to leave the company, and wanted to extort millions of dollars and cause damage on his way out," Williams said in his sentencing memo.
However, even if that was Sharp's true motivation, Failla did not accept his justification of his crimes, which include wire fraud, intentionally damaging protected computers, and lying to the FBI. "It was not up to Mr. Sharp to play God in this circumstance," Failla said. US attorney for the Southern District of New York, Damian Williams, argued (PDF) that Sharp was not a "cybersecurity vigilante" but an "inveterate liar and data thief" who was "presenting a contrived deception to the Court that this entire offense was somehow just a misguided security drill." Williams said that Sharp made "dozens, if not hundreds, of criminal decisions" and even implicated innocent co-workers to "divert suspicion." Sharp also had already admitted in pre-sentencing that the cyber attack was planned for "financial gain." Williams said Sharp did it seemingly out of "pure greed" and ego because Sharp "felt mistreated" -- overworked and underpaid -- by the IT company, Williams said.
Court documents show that Ubiquiti spent "well over $1.5 million dollars and hundreds of hours of employee and consultant time" trying to remediate what Williams described as Sharp's "breathtaking" theft. But the company lost much more than that when Sharp attempted to conceal his crimes -- posing as a whistleblower, planting false media reports, and contacting US and foreign regulators to investigate Ubiquiti's alleged downplaying of the data breach. Within a single day after Sharp planted false reports, stocks plummeted, causing Ubiquiti to lose over $4 billion in market capitalization value, court documents show. Williams had pushed the court to impose a sentence between eight to 10 years, arguing that anything less would be perceived by the public as a "slap on the wrist." Sharp's six-year term is slightly less than that, but in a press release, Williams described the sentence as imposing "serious penalties" for Sharp's "callous crimes." "He was disgruntled at his employer, planning to leave the company, and wanted to extort millions of dollars and cause damage on his way out," Williams said in his sentencing memo.
tens of gigabytes of confidential data (Score:2)
Doesn't sound like a lot in todays terms
Market Cap Drop blame (Score:2)
The market cap is the sum of shars available for trade multiplied by the then-current price of the shars. This is 100% determined by what buyers are willing to buy -- expecting to sell for more tomorrow, and what sellers are willing to sell, expecting the price to drop tomorrow. While they make use of published information, investors' behavior en masse cannot be attribute to a simple data leak. If so, market caps of e.g. Norton, Experian, Intel, and many other "hacked companies" would have shown similiar
Re:Market Cap Drop blame (Score:4, Insightful)
Note: I''m not defending nor justifying unlawful behavior. I'm saying that the link to hold the leaker responsible for what millions of individual investors each independently did is too tenous to be the basis for sentencing. Law enforcement always tries to make it seem like any bad act led to dead babies or devalued companies, or unsafe water, or whatever... and always fail to meet the burder of proof.
Except that it isn't really possible to put a value on a reputation.
The reality is you can only ask a court to make you whole from harm, by asking for things a court is actually capable of doing.
This guy intentionally set out to smear Ubiquiti's reputation, telling news outlets that their network was crawling with Russian hackers who had the keys to their kingdom.
The damage was very real, and was reflected in far more than just their stock price.
I say "was", though they still haven't and likely never will fully recover.
So what is a court to do? A court can't just magically force everyone to know the truth of the matter, let alone force people to trust Ubiquiti again.
Awarding money is one of the few things the court actually can do.
They are supposed to have some reasoning behind the amount awarded, say for example the loss in share price, instead of plucking a random number from thin air.
Another single antidote - Our company was reevaluating our network vendors, wanting to consolidate wired (switches), wireless, and routers.. Right when this crap went down.
Instead of choosing Ubiquiti for at least two if not all three of those, we ditched our unifi wifi and went with an all cisco (meraki wifi) solution.
Not only did Ubiquiti lose our business they had, but lost more business for a 10 year time span (at least) until the next reevaluation.
The harm this insider caused goes far deeper than stock price, and it's impossible to believe that wasn't his one and only intent.
Re: (Score:1)
The court could award money to spend on advertising to inform people of what happened, but I doubt he even has $1.9 million anyway. If he ever had it, chances are he spent as much of it as he could on defending himself in the trial.
Ubiquiti is popular with professionals because it works well and is easy to set up. Of course, most of them don't really care about the downsides or that Ubiquiti's security may be lax. If they are contractors they only care about getting the installation done, if they are salari
Re: (Score:2)
Despite the lies surrounding the release, the security vulnerabilities were real. Ubiquity's reputation SHOULD be tarnished based on that alone. Especially a company that is forcing all their customers to move to cloud-based management for core switching gear, which requires considerable trust the company wont be hacked allowing anyone access into a Ubiquity-based network.
Re: (Score:2)
Worthy of news? (Score:2)
Person goes to jail for unambiguously committing crimes. I suppose there's a story in there somewhere...
Re: (Score:2)
Re: (Score:3)
Person goes to jail for unambiguously committing crimes. I suppose there's a story in there somewhere...
You must be new here. On planet Earth, every day there are thousands of news stories that follow the pattern "one of two opposing sportsball teams won a sportsball game."
He's hyperfocused on fixing the flaws? (Score:4, Insightful)
Guess we aren't supposed to notice the demand for a $1.8 million ransom.
Re: (Score:2)
Guess we aren't supposed to notice the demand for a $1.8 million ransom.
Well, it's a well-known fact that judges are idiots who routinely fall for transparent ploys. How could he have known that his was the one exception?
Who is the bigger monster? (Score:1, Insightful)
Was it Sharp for snapping and doing this to his employer? Or is it the employer that is the monster for pushing a stressed employee past their limit and causing them to break?
I feel like in a lot of these cases with disgruntled employees, there is a little of both at play and no one is truly innocent. After reading a story like this, I'd never want to work in IT at Ubiquiti because it pushes people to breaking. The way I see it, 'Going Postal' isn't because the Post Office hired a bunch of psychos, it's bec
Re: (Score:2)
Was it Sharp for snapping and doing this to his employer? Or is it the employer that is the monster for pushing a stressed employee past their limit and causing them to break?
Bullshit. Two wrongs don't make a right. If you don't like your job quit and go somewhere else. Committing crimes against them is not the answer.
Re: (Score:1)
I agree, not condoning the actions or excusing them. What I am attempting to do and I guess, failing, is pointing out that like the postal industry of the 80s and 90s giving us the euphemism 'going postal' for when one loses it, nowadays it seems IT workers are the ones. And maybe it's time to say something like 'Going IT' for all these workers who believe they are above the law and either try to make money or punish their employers through misuse of their access.
But more importantly, are we paying attentio
Ubiquiti gear is garbage. (Score:1)
publishing the data publicly (Score:1)
Perhaps they should comply with the GPL? (Score:2)
They're happy to prosecute, but less quick to comply with the GPL. e.g. No GPL code (Linux kernel, Uboot etc.) is available for the Unifi 6 LR, and no answer to emails chasing them (just a single "I will provide the download links shortly" well over 30 days ago - which is the time limit in the GPL). This is by no means the first time that this has happened either...
Re: (Score:1)
To be fair, this is generalized across the board. Although, I would like better transparencies for all involved, until we start suing, nothing is gonna change.