Networking and Internet of Things (IoT) vendor Ubiquiti has responded to allegations that it deliberately downplayed a data breach in January.
In a statement posted to its user forum, the company says it has “no evidence that customer information was accessed” and that “nothing has changed with respect to our analysis of customer data and the security of our products since our notification on January 11”.
The 11 January notification by Ubiquiti said “we cannot be certain that user data has not been exposed” and didn’t mention the security of its products at all.
On Tuesday, respected security expert Brian Krebs reported on conversations he had had with an anonymous security pro who had been part of Ubiquiti’s response to the breach. Krebs’ source described the breach as “catastrophic” in scope, as the attackers had obtained root admin access to Ubiquiti’s entire cloud infrastructure on Amazon Web Services (AWS). They would potentially have been able to access any Ubiquiti cloud-linked device around the world, including millions of networked security cameras, door locks, WiFi boxes, switches and firewalls.
Krebs’ source also claimed that Ubiquiti did not keep access logs for its files, and thus couldn’t know who might have read or copied them.
Ubiquiti’s new statement says:
“The attacker, who unsuccessfully attempted to extort the company by threatening to release stolen source code and specific IT credentials, never claimed to have accessed any customer information. This, along with other evidence, is why we believe that customer data was not the target of, or otherwise accessed in connection with, the incident.”
It would be interesting to know what the “other evidence” could be that customer data was not accessed, other than the attacker’s bare statement that he or she had not done so. The two statements by Ubiquiti taken together convey the impression that customer data certainly could have been accessed.
Ubiquiti does offer a further intriguing hint:
“At this point, we have well-developed evidence that the perpetrator is an individual with intricate knowledge of our cloud infrastructure. As we are cooperating with law enforcement in an ongoing investigation, we cannot comment further.”
Krebs’ source also specified that the attackers “had access to privileged credentials which had been stored in the LastPass account of a Ubiquiti employee”.
According to GlobalData’s Technology Intelligence Centre, Ubiquiti reported revenues of $1.28bn for FY2020, an increase of 10.6% year-on-year. FY2020 operating margin was 37.2%, up from 33.9% the previous year. It is traded on the NYSE and the stock performed well following the January announcement, rising from a mid-January low of $243.13 to a peak of $395.16 on Friday 26 March. Since Krebs published his new report it has fallen below $300.