Governance & Risk Management
,
Insider Threat
Nickolas Sharp, 37, Must Also Pay $1.6 Million In Restitution
Nickolas Sharp, a one-time employee of Ubiquity who pleaded guilty to insider hacking received Wednesday a six year prison sentence.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
Sharp, 37, must also pay restitution of $1.6 million. He admitted guilt on Feb. 2 to three criminal counts including transmitting a program to a protected computer that intentionally caused damage (see: Ubiquiti Insider Hacker Pleads Guilty).
The sentence is less than the eight to 10 years requested by prosecutors but considerably more than the single year of home confinement defense attorneys sought.
Sharp in late 2020 and early 2021 downloaded gigabytes of confidential company data, altered logs to cover up his tracks, and sent an anonymous ransom note demanding 50 bitcoin – all the while working on the team charged with remediating the incident. His extortion demand at the time he sent it in January 2021 was worth $1.9 million.
“Nickolas Sharp was paid close to a quarter million dollars a year to help keep his employer safe. He abused that trust,” said Damian Williams, U.S. attorney for the Southern District of New York. “Sharp now faces serious penalties for his callous crimes.”
After the FBI raided Sharp’s Portland, Oregon, home in March 2021, he went public with a chunk of the files and planted false stories in the media exaggerating the scope of the breach, causing Ubiquiti’s stock to plummet. Prosecutors say Ubiquiti’s share price fell by 20% over the last two days of March, causing the company to lose more than $4 billion in market capitalization.
Under his plea agreement, Sharp pleaded guilty to intentionally damaging a protected computer, wire fraud, and making false statements to FBI.
Sharp’s attorneys in an April 26 sentencing memo said his insider hacking episode was a misbegotten attempt to highlight ongoing security problems at Ubiquiti. “Drafting articles to Krebs about such insecure systems and attempting to extort the company in a halfhearted way so the company would finally pay attention to what he had pointed out on several occasions” was his real intention, they wrote.
“Krebs” is a reference to cybersecurity Brian Krebs, who ran on his website articles based on information supplied by Sharp, who posed as a company whistleblower. Krebs ultimately retracted the articles and settled in 2022 a lawsuit filed by Ubiquiti alleging defamation (see: For Hire: Ex-Ubiquiti Developer Charged With Extortion).
Prosecutors in their sentencing memo disagreed that Sharp was motivated by a desire to showcase security vulnerabilities. ” Far from a hacker targeting a vulnerability open to third parties, Sharp used credentials legitimately entrusted to him by the company, to steal data and cover his tracks,” they wrote.
“Sharp had no interest in the long-term success of [Ubiquiti] – he was already planning to leave the company, and it is clear that his goal was to hurt [Ubiquiti], embarrass his former co-workers and supervisors, and profit off of his crimes on his way out of the company,” the added.