He almost certainly knows if they are the same person or not since he would have needed to confirm that his source was actually an employee but he does not want to confirm that in a way that undeniably makes the identity of his source public. In this case the breach was much worse than initially revealed and internal vs. external is a relatively minor issue. While I didn't read the whole complaint, searching for a few keywords suggest that Ubiquiti is not disputing that their legal department overrode taking appropriate measures to protect customers, the other key point of the initial article (the main point even). An interested reader will effortlessly make the connection between the arrest and the source without it being 100% confirmed that they are the same person and it is quite obvious that someone who was an employee will no longer be an employee after being arrested for stealing from the company, this does not in any way make it sound like a different person. Developer is more specific than employee but not at all contradictory and also does not suggest a different person. As unlikely as it seems in this case consider if the source actually was someone else either in this case or a similar case in the future. Never revealing sources is the safest way to protect all sources. The way the article was written provides all the relevant information without difinitively confirming the identity of the source, just as it should.