Ubiquiti sues Krebs on Security for defamation over alleged false claims

Network equipment maker Ubiquiti on Tuesday filed a lawsuit against infosec journalist Brian Krebs, alleging he defamed the company by falsely accusing the firm of covering up a cyber-attack.

On March 30, 2021, Krebs reported that Ubiquiti had disclosed a January breach involving a third-party cloud provider, later revealed to be AWS, and that an unnamed source within the firm had claimed the company was downplaying a catastrophic compromise.

On December 1, 2021, the US Department of Justice charged former Ubiquiti software engineer Nickolas Sharp, accusing him of attempting to steal data from the company and to exhort $2m from the firm in Bitcoin ransom as part of an effort to reduce the price of Ubiquiti shares. The DoJ said that after Ubiquiti refused Sharp’s payment demand, he tried to sink the company’s shares by publishing stolen files and engaging in a media campaign to plant damaging stories about the firm.

The publication of these stories, on March 30 and 31, 2021, the DoJ said, coincided with a $4bn decline in Ubiquiti’s market capitalization.

Ubiquiti, in its complaint [PDF], alleges that Krebs, after seeing the DoJ announcement, knew that the unidentified source he cited in his March articles – Sharp – had been indicted for involvement in the attack on Ubiquiti.

And the biz contends he published on his Krebs-on-Security website a story on December 2, 2021 that repeated prior claims while misleadingly referring to his source as “a Ubiquiti employee” and to Sharp as “a Ubiquiti developer” if they were separate individuals and without acknowledging that the two references were to the same person.

“Despite these damming [sic] facts, Krebs published a story on his blog the next day doubling down on his false accusations against Ubiquiti and intentionally misleading his readers into believing that his earlier reporting was not sourced by Sharp, the hacker behind the attack,” the complaint says.

The networking biz contends that the article’s assertions – about the scope of the incident being underplayed and about the company disclosure attempting to shift blame to its cloud service provider – are false. And the biz argues that Krebs participation in ad-based publishing motivated his alleged defamation: “Krebs intentionally misrepresented the truth because he was financially incentivized to do so. His entire business model is premised on publishing stories that conform to this narrative.”

This is not the first time Krebs has reported on a Ubiquiti security incident that has had a material impact on the company’s financials. In August, 2015, the firm disclosed it had been defrauded of more than $46m by scammers sending spoofed email messages, and Krebs was among those reporting on the affair.

The Register asked Krebs to comment, and he declined, citing the advice of counsel.

Via Twitter, T. Greg Doucette, a criminal defense attorney and former computer scientist, opined that Ubiquiti’s lawsuit would be considered an attempt to suppress lawful speech – a strategic lawsuit against public participation, or SLAPP – in states that have anti-SLAPP laws.

“It’s a SLAPP: the coverage by Brian Krebs was substantially true and/or First-Amendment-protected opinion, and the lawsuit basically admits it in the text itself,” Doucette wrote. “But Ubiquiti intentionally filed in Virginia, because there’s no anti-SLAPP statute there.” ®

Editor’s note: We’re reminded of the time Keeper Security sued Ars Technica and one of its reporters, Register-alumnus Dan Goodin, for an article he wrote in 2017. The libel suit was subsequently dropped.