Six years prison for ex-Ubiquiti staffer who stole data and attempted to extort millions of dollars

A former software engineer at Ubiquit Networks has been sent to prison for six years after stealing gigabytes of data from the firm, attempting to extort millions of dollars, and harming the company's reputation in the media.

Back in January 2021, networking manufacturer Ubiquiti told users to change their passwords and enable two-factor authentication (2FA), after it realised gigabytes of confidential data had been accessed by an unknown party on its AWS servers and GitHub repositories the previous month.

Ironically, one of the Ubiquiti staff assigned to investigate the hack was Nickolas Sharp, of Portland, Oregon, a developer working in the company's cloud division.

Why ironic? Because it was Sharp who had been responsible for the hack - taking advantage of his privileged employee access to steal the data, and deleting logs that could have identified his involvement.

Furthermore, Sharp had anonymously demanded from the firm a ransom of approximately US $2 million for the safe return of the data, and details of the vulnerability he claimed to have exploited to access it.

Ubiquiti, however, refused to pay the ransom, which prompted Sharp to publish some of the stolen files online and contact a cybersecurity journalist pretending to be a whistleblower within Ubiquiti.

Media stories of security failings at Ubiquiti were claimed to have been the cause of a 20% fall in the business's share price, and the loss of over US $4 billion in market capitalisation.

Sharp's undoing was that despite using a VPN to hide his home IP address while stealing Ubiquiti's data, there had been a brief outage in the service which caused his real IP address to be logged.

Sharp entered a guilty plea in February of this year to charges of wire fraud, making false statements to FBI investigators, and transmitting a program to a protected computer that intentionally caused damage.

This week, in addition to a six year prison sentence, Sharp was also sentenced to three years of supervised release, and ordered to pay restitution of $1,590,487.

This extraordinary story underlines a truth that is not considered enough inside businesses. Yes, you should be worried about the threat posed by external hackers. But also consider the internal threat posed by insiders and rogue employees - the people you have entrusted to act responsibly with the data of your company and your customers.