Former Ubiquiti engineer sentenced to six years for stealing company data, attempted extortion

In brief: An engineer who worked for wireless networking products provider Ubiquiti has been sentenced to six years in prison for stealing gigabytes of confidential data from the company and demanding $1.9 million for its return. Nickolas Sharp claimed his plan was an "unsanctioned security drill" to improve network safety, but the judge didn't accept this excuse.

Bloomberg writes that 37-year-old Sharp pleaded guilty to charges of intentionally damaging a protected computer, wire fraud, and making false statements to law enforcement. Prosecutors claim he extorted money from Ubiquiti while purportedly working to fix the security breach he'd created.

Sharp asked United States District Judge Katherine Polk Failla that he receive no prison time as the cyberattack was actually an "unsanctioned security drill" that left Ubiquiti "a safer place for itself and for its clients." Sharp also claimed that Ubiquiti CEO Robert Pera had prevented him from "resolving outstanding security issues," which led to the engineer developing an "idiotic hyperfixation" on fixing the "out of control" and "not rational" security flaws.

Failla did not accept Sharp's excuse. "It was not up to Mr. Sharp to play God in this circumstance," the judge said, adding that he'd had plenty of opportunities to "pull back from the precipice."

Sharp used his administrative access to Ubiquiti's systems to steal the secret information during his time at the company between August 2018 and April 2021. He used his cloud administrator credentials to clone hundreds of repositories over SSH and steal private files from Ubiquiti's AWS infrastructure and GitHub repositories.

Prosecutors said he was discovered copying approximately 155 data repositories when an internet outage temporarily disabled his VPN, resulting in his home IP address being unmasked by Ubiquiti. Sharp admitted to lying to FBI agents during a search of his home in Match 2021.

US attorney for the Southern District of New York, Damian Williams, said Sharp, who earned $250,000 per year, made "dozens, if not hundreds, of criminal decisions" and even implicated innocent co-workers to divert suspicion away from himself. Sharp admitted that his actions were planned for "financial gain."

Ubiquiti spent over $1.5 million trying to remediate Sharp's "breathtaking" theft. Ars Technica writes that he cost the company a lot more after posing as a whistleblower, planting false reports in the media, and contacting US and foreign regulators to investigate Ubiquiti's downplaying of the data breach. He also claimed that Ubiquiti lacked a logging mechanism that would have prohibited it from determining whether the "attacker" had accessed any systems or data. Sharp's actions caused Ubiquiti's stock to crash, wiping $4 billion off its market cap.

"Nickolas Sharp was paid close to a quarter million dollars a year to help keep his employer safe," Williams said in a press release. "He abused that trust by stealing a massive amount of sensitive data, attempting to implicate innocent employees in his attack, extorting his employer for ransom, obstructing law enforcement, and spreading false news stories that harmed the company and anyone who invested in the company. Sharp now faces serious penalties for his callous crimes."

Center image: Office snapshots