Illustration of burglar stealing confidential files from a giant computer

Paying hackers a ransom to keep clients’ data safe

It isn’t just data breaches due to negligence and incompetence that can bring your details into the public realm.

Increasingly, businesses, government authorities, and various other organisations are falling victim to ransomware attacks. Hackers steal data or block access to vital systems in such attacks until the targeted organisation pays a “ransom”.

One of the reasons ransomware attacks are prevalent is how successful they are. Knowing the consequences of a data breach or fearing losing revenue and profit through a collapse in their systems, many organisations often pay cybercriminals the ransom they’re seeking.

Is this a wise step on the part of the affected businesses? What impact does the activity of cybercriminals attacking businesses have on you as a consumer?

What happens when a business or another organisation pays up?

The answer to this question depends on the intentions of the criminals behind the ransomware attack. It also depends on the specific nature of the attack itself.

For example, say a business is the victim of a ransomware attack involving criminals taking control of a set of systems. Upon payment of the ransom, the attacker can either give back control of the system or make a subsequent demand. It is this uncertainty that likely puts many businesses off paying a ransom. After all, you cannot do much if an attacker refuses to hand back control of a system after you’ve paid! There is also the possibility that an attacker could hand back a system in a corrupted state or with data missing.

The situation is slightly different when it comes to ransomware being used for data theft.

For example, criminals could threaten to use whatever data they’ve stolen for various reasons, including:

  • Disclosing it to data protection authorities to highlight security shortcomings.
  • Targeting people directly based on the details held within the data.
  • Selling the data to other criminals or releasing it either publicly or on the dark web.

The thing with data theft is, if criminals have data, and you choose to pay up, you’re relying on them doing what they said they would once you pay the ransom. With that in mind, the answer to this question, particularly as relates to data theft, is “we don’t know.” Most criminal networks aren’t going to pass up on the opportunity to get paid twice. They can collect a ransom from businesses, say they’ve deleted data, and then sell it anyway.

What happens when they don’t?

One UK organisation to have recently suffered a ransomware attack is Hackney Council.  

Hackney Council didn’t pay a ransom following an October 2020 attack. At the time of writing, the criminals behind the attack retained control of a range of the council’s systems, severely affecting operations. There have also been several data leaks from the systems in question. However, Hackney Council hasn’t exactly covered itself in glory from a data protection perspective lately, either.

This is likely a typical example of what happens when businesses refuse to pay out, at least when criminals use ransomware to take control of systems. For data theft cases, there is a considerable likelihood the data will end up being sold or leaked anyway. So it is unsurprising that many choose not to pay the ransom in such cases.

What types of organisations are at risk from ransomware attacks?

From a consumer perspective, it isn’t possible to say there are certain types of businesses or organisations to avoid to minimise the risk of your data being involved in a breach. Modern life means we’re sharing an increasing volume of data about ourselves every single day.

The types of organisations that ransomware attackers target also show us how difficult it is to avoid our data being involved in an attack or breach. This year alone, cybercriminals have targeted:

  • Airports
  • Arms manufacturers and distributors
  • Chemical distributors
  • Education providers, from nursery schools to universities and everything in between
  • Energy infrastructure, including oil pipelines and nuclear contractors
  • Government bodies and departments
  • Healthcare facilities
  • Insurance companies
  • Local government authorities, like councils

There are two types of organisation here:

  • Those that hold a lot of personal data and where allowing storage and access to that data is somewhat essential to us living our lives.
  • Those that for whom being subject to a cyberattack can result in severe disruption to infrastructure and, in many cases, be life-threatening.

It’s clear why criminals find these attractive!

While all types of organisations are vulnerable, a “sweet spot” exists, particularly concerning businesses. For example, criminals might seek to target companies with significant revenue, but that are unlikely to have a dedicated cybersecurity team. Such companies would have a considerable amount of data to steal, the potential to pay a significant ransom, and perhaps be easier to hack.

However, every business and organisation is at risk of falling victim to ransomware and other types of cyberattack.

Seeking redress if your data is involved in a breach

While you might have little choice, in some cases, to share your data with various organisations, those organisations do retain an obligation to protect your data.

As such, if your data is involved in a ransomware attack that leads to your data being compromised, and the organisation in question could have prevented it, you have grounds for a data breach claim.

If your data has been involved in a breach, contact LawPlus now for a FREE assessment of your claim.

Get in Touch

Fill in the form below to tell us your details, and we’ll get started.