Ubiquiti is a cloud vendor for miscellaneous internet of things (IoT) devices like routers and security cameras. They recently announced a breach which involved a third-party cloud provider where customer account credentials were exposed.
Now, someone involved in the response process is claiming Ubiquiti has downplayed the incident and the event could be classified as “catastrophic.”
On January 11, Ubiquiti sent emails to customers notifying them of a security breach. In the notifications, they explained threat actors had gained unauthorized access to systems hosted by a third-party cloud provider. At first, the vendor revealed information such as names, email addresses, password credentials, home addresses, and phone numbers may have been compromised in the breach. The customers were asked to change passwords and enable multi-factor authentication.
A few months later, the individual who played a part in the response told Brian Krebs the incident was being minimized internally and not disclosed with full transparency. The individual wrote to European regulators, “It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers. The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk.” They also explained threat actors had full access to Ubiquiti databases at Amazon Web Services (AWS) which seems to be the third-party involved in the breach. Amazon Web Services was not named in the initial customer notification.
The whistleblower also explained to Krebs that security engineers became aware of Linux virtual machines being set up which were not accounted for in December 2020. Then they found backdoors threat actors had left behind and removed them. After removal, threat actors requested a ransom payment. Ubiquiti refused to negotiate with threat actors. Instead, they worked on rotating employee credentials to ensure they wouldn’t be compromised further. They did this credential rotation before notifying any customers.
The whistleblower also explains Ubiquiti should have invalidated all customer credentials and forced a reset instead of asking them to change them on their own. Another major problem was Ubiquiti did not have any proof of what was accessed because they didn’t have access logs on databases. The whistleblower was also quoted in the letter, “Legal overrode the repeated requests to force rotation of all customer credentials, and to revert any device access permission changes within the relevant period.”
All of this is concerning for Ubiquiti but shows how important the response process is for every organization. Whether it’s the protection of your customers or your organization, transparency is key. Ensure you have a security firm with investigative forensic capabilities and a legal team with the ability to assist you properly. If you ever fall victim to a breach, your customers will want to know if they’re vulnerable to threat actors. In Ubiquiti’s case, customers may not have the same trust in them because of their actions. This may damage their brand’s reputation in the long run.
To avoid an attack like this, call SpearTip. Our engineers continuously investigate networks in our 24/7 security operations center. With our digital forensics, we can provide legal teams the accurate information they need to make the right decision and ensure your organization remains transparent in unveiling critical details.