Ubiquiti, Coverups & Data Breaches - What Could Go Wrong-er.

Profits>Customer's Personal Data

Companies who intentionally put their profits and stock prices in front of their customers security are a disgrace to the tech community. It is clear when companies put those profits in front of their customers, they are doing multiple things. They are telling the industry it is OK to put profits in front of their customers, and that they can and should do it with impunity. They are also telling their customers they are not important; they are there to be used to increase their stock prices and benefit their stockholders. WE made this product for US and the fact that YOU are using it means WE can use YOU to benefit OURSELVES.

Enter Ubiquiti. They had a data breach that basically told us that exact thing. Their reporting. Their blame. Their decisions. All point towards this mindset. How can we as a consumer help tell these companies this is not OK? I have some ideas, but first a little background in what I'm talking about.

Ubiquiti Data Breach - The Facts

Here's some facts about the Ubiquiti data breach if you're not familiar with it.

About four months ago, Ubiquiti was part of a targeted attack that resulted in a data breach of a "third party" cloud vendor that had caused the improper access of multiple aspects their business including S3 buckets, logs, user credential databases, and other secure information.

They responded by ignoring the hackers request for $2.8 million in bitcoins, and spent the next several days rotating credentials for all employees, in an attempt to mitigate the breach.

Several days later, they requested that customers change their passwords, by sharing that a "third party" was breached and to change passwords. They didn't invalidate anyone's password.

Bad Sniff Test

I always try to do a "sniff test" on something that looks like it might be a little too good to be true or might be questionable. This brought some other cybersecurity experts too come to the same conclusion.

1. Why did they not report this earlier? The breach sounded like it impacted or touched on several data protection and privacy laws, which means this should have been reported pretty quickly, within 72 hours for some cases. How were they able to bypass this requirement?

2. Why blame a third party vendor of your breach? The problem with this is it puts the liability squarely on nobody's shoulders. By claiming it is a "third party" data breach they have essentially removed their liability, and not shared the "third party" so they can cleanly blame it on someone else without blaming anyone. It's like a double blind date, neither the customers nor the "third party" know who Ubiquiti are talking about, but the friend who set it up knows everything about the setup. Those relationships never end well.

3. Why did they cover their own behind before they let their customers know about the data breach? By spending several days rotating their own passwords and credentials, you have sent the message that the customers data isn't important, but our behinds and our data are important.

4. Why didn't they flat out rotate the users passwords and other credentials, like they did their own? My guess, is by rotating CUSTOMERS passwords, it would be admitting to a breach, and this certainly is a "breach" in the formal use of the word. There might be a fine, and data protection required for their customers, which would be costly.

5. Where is the logging? Was this set up by a first year intern who was still learning how to set up an Amazon S3 bucket with logging? Logging is a very important aspect of keeping user information secure. Although, if your goal is to keep costs down then yeah, go with less logging. And with many breaches, they seem (to me at least) be self reported, sure, I guess you can use that as an excuse of "I don't know what I don't know" but that excuse only goes so far.

6. The NDAs. Like good grief. It's not your data! We deserve to know the extent of the breach of OUR data. You can't stick your CSO or external cybersecurity expert behind an NDA and say, yeah if you talk about it all hell will break lose for you. Here's what we are telling our customers to protect ourselves from our stock from going down.

7. Reactions. What did you do to fix the problem? Saying platitudes of "We take our customers data seriously" and not saying how you are trying to strengthen your security posture is not something that makes me feel warm and fuzzy inside.

The Future

I still believe the future of our data and cybersecurity requirements will be bright. Here’s what I think will happen as data security becomes more normalized and templated.

1. Data breach reporting will have some level of template based on the type of breach. I imagine there will be some level of what is claimed a data breach. What can be claimed a "third party" data breach. What is required to be reported to the data protection agencies. What level of logging is required based on what data is being held or has access to. If the logging is not in place, fines will be levied, per day or per person until the logging has been put in place.

2. There could be a data health security arm of the government, or some level of private enterprise that checks and audits the security of the data they are holding, like the SOC2 requirement.

3. Insurance around a data breach will likely evolve, to help mitigate some of these issues that come with paying out for data breaches, through either PR, customer support, credit monitoring systems, etc.

As data breaches become more costly, companies are trying to take the less costly approach. Ubiquiti, as claiming it wasn't a "data breach" in the "technical" meaning of the word. LinkedIn claiming it was "scraping" not a "data breach." Facebook claiming "scraping" too. So if this is the case, lets just air all our data out there for all to see. Because "technically" speaking, its all "public" data anyway, right? Well it will be once its been "hacked."