Ubiquiti Sues Brian Krebs Alleging Defamation

Ubiquiti sues journalist, alleging defamation in coverage of data breach

Journalist Brian Krebs is being sued by network-equipment maker Ubiquiti for defamation over his coverage of a data breach which was eventually revealed to be the work of a company insider.

Ubiquiti initially disclosed a data breach on January 11, 2021, telling customers that the breach was minor and had occurred at a “third-party cloud provider.” But on March 30, 2021, Krebs reported that an unidentified whistleblower told him the data breach was worse than Ubiquiti had said. Krebs’ story and others like it published the next day caused Ubiquiti’s market cap to drop by $4 billion, the lawsuit alleges.

Then, in December 2021, the Department of Justice said that it had charged Nickolas Sharp “for secretly stealing gigabytes of confidential files from a New York-based technology company where he was employed.” The DOJ also said, “while purportedly working to remediate the security breach, [Sharp] extort[ed] the company for nearly $2 million for the return of the files and the identification of a remaining purported vulnerability.” Sharp reportedly worked for Ubiquiti at the time of the attack.

Ubiquiti alleges that Krebs knew Sharp was his source but published a story about the charges against Sharp that was “intentionally misleading.”

“Despite these damming [sic] facts, Krebs published a story on his blog the next day, doubling down on his false accusations against Ubiquiti and intentionally misleading his readers into believing that his earlier reporting was not sourced by Sharp, the hacker behind the attack,” the lawsuit says. (Generally, journalists don’t reveal anonymous sources without the source’s consent, even if that source is charged with felonies. A felony charge is not proof of guilt, of course.)

The lawsuit says that Krebs was intentionally deceitful because “first he describes Sharp as a current employee. He then describes Sharp as a ‘former Ubiquiti developer’ to deceive readers into believing that the sourcing for his original story was a legitimate source—someone other than Sharp.”

Here’s the passage from Krebs’ December 2, 2021, article to which the lawsuit is referring:

In January 2021, technology vendor Ubiquiti Inc. [NYSE:UI] disclosed that a breach at a third-party cloud provider had exposed customer account credentials. In March [2021], a Ubiquiti employee warned that the company had drastically understated the scope of the incident and that the third-party cloud provider claim was a fabrication. On Wednesday, a former Ubiquiti developer was arrested and charged with stealing data and trying to extort his employer while pretending to be a whistleblower.

Krebs notes that the individual in question was a Ubiquiti employee as of March 2021 and that, at the time of the December charges, a “former” developer was implicated. If those individuals are the same person and if that person were fired from or left Ubiquiti between March 2021 and December 2021, then both of these things can be true, of course.

The lawsuit alludes to a request from Ubiquiti to Krebs that he retract his article, which he apparently refused. The suit also claims that Krebs “intentionally misrepresented the truth because he was financially incentivized to do so” because he runs ads on his website. Krebs added an update to his March 30, 2021, article linking to the December 2 story he wrote about the felony charges against Sharp.

Ubiquiti is asking for $425,000 in damages.