In Cybersecurity, Watch What You Say …

The cybersecurity community is often vocal in expressing outrage at data breaches. Those with trusted voices can be extremely vocal on the…

In Cybersecurity, Perhaps Watch What You Say …

The cybersecurity community is often vocal in expressing their feelings around failings related to data breaches. Those with trusted voices can be fairly vocal about the poor security practices involved, and often use social media channels to disseminate their feelings. But a new lawsuit by Ubiquiti against Brian Krebs opens up a whole new debate around disseminating information about suspected data breaches, and ones that are perhaps not proven at a given time. The lawsuit is for $425K in damages:

It states that:

Ubiquiti Inc. files this defamation action because blogger Brian Krebs falsely accused the company of “covering up” a cyberattack by intentionally misleading customers about a so-called data “breach” and subsequent blackmail attempt in violation of federal law and SEC regulations.

The opposite is true: Ubiquiti promptly notified its customers about the attack and instructed them to take additional security precautions to protect their information. Ubiquiti then notified the public in the next filing it made with the SEC. But Krebs intentionally disregarded these facts to target Ubiquiti and increase ad revenue by driving traffic to his website, www.KrebsOnSecurity.com.

The focus of the complaint is that Ubiquiti Inc feels that Brian accused them of covering up a data breach, and where the company feel that they did inform their customers and took additional protection. For Ubiquiti, they feel that the motivation could have been to drive up add revenue on the KrebsOnSecurity site. The story gets even more convoluted with the main source of the leak focusing on an employee involved in the possible leak of information being changed — in Dec 2021 — with four felony counts related to:

“stealing confidential data and extorting Ubiquiti … while posing as an anonymous attacker.”

The case has some serious implications on two fronts. Overall the possible leakage of data from an insider perhaps has implications related to the ethical practice of employees within a company, and where they might release information that could be damaging to their company. Along, with this, the action against Brian Krebs may sound like a warning call to those who may source or even echo suspected information around data breaches.

We are faced with a strange situation with data breaches. On the one hand, we perhaps need to pinpoint bad practice, but on the other hand, much of the information about a data breach or cybersecurity incident that is disseminated in the early stages of the event is perhaps not yet fully proven. So, we probably need to be a good deal stronger in our evidence of bad practice, as brand reputation is something that can take the greatest hit in a cybersecurity event.

So, watch out …

Join Medium with my referral link - Prof Bill Buchanan OBE
As a Medium member, a portion of your membership fee goes to writers you read, and you get full access to every story…billatnapier.medium.com