Cybersecurity ransom: To pay or not to pay?

Cybercriminal ransom demand: To pay or not to pay?

  • In the aftermath of a significant data breach, Latitude Financial pledges not to pay the ransom demanded by the hackers.
  • Latitude’s CEO, Bob Belan, believes that paying the ransom would be detrimental to customers and the broader community, as it would encourage additional attacks.

Australian financial company Latitude Group Holdings recently announced that they would not submit to the criminals’ ransom demands after a cyberattack last month, stating that doing so would harm customers and the wider community by incentivizing further attacks.

Latitude’s stance: Cybersecurity and ransom dilemma

“Latitude will not pay a ransom to criminals,” said Latitude’s CEO, Bob Belan. “Based on evidence and advice, there’s no assurance that paying would result in the destruction of any customer data, and it would only promote more extortion attempts on Australian and New Zealand businesses in the future.”

As reported by The Guardian, the attackers specified stolen data in their ransom demand that matched the updated count of affected customers disclosed by Latitude. Approximately 14 million customer records, including driver’s license numbers, passport numbers, and financial statements, were stolen. Cybersecurity experts consider many of these documents particularly sensitive, as they contain unique identifiers that could be used to steal an individual’s identity when combined with general information.

The government has initiated a public discussion regarding potential changes to cyber legislation, which may grant federal agencies increased authority to step in when private firms face cyberattacks. Additionally, these legislative modifications could prohibit the payment of ransoms.

Comparing Latitude’s response with Medibank and Colonial Pipeline cases

In a similar incident last year, Medibank declared their refusal to pay a ransom to the alleged hacker who had stolen data relating to 9.7 million customers, arguing that they couldn’t “trust criminals” not to exploit people further.

Medibank’s CEO, David Koczkar, stated that paying a ransom equated to extortion and could potentially lead to customers or other businesses being targeted. He emphasized that criminals couldn’t be trusted, and their decision not to pay the ransom was based on the belief that it would offer the best security for their customers and other Australians.

In contrast, there was an incident where a company opted to pay a ransom – Colonial Pipeline. This case, considered one of the largest ransomware attacks, involved infiltrating a pipeline’s digital systems, leading to its several-day shutdown. The DarkSide attackers demanded 75 bitcoin, which is about US$4.4 million. The company paid the ransom, and CEO Joseph Blount hoped it would speed up recovery, as the extent of the intrusion and the time needed for restoration were unclear – but it wasn’t the case.

Cybersecurity ransom: To pay or not to pay?

Source – Shutterstock

Latitude’s decision not to pay the ransom can have several impacts on businesses, such as setting a precedent by refusing to pay and encouraging businesses to prioritize cybersecurity. Additionally, it may improve the company’s reputation and promote collaboration between businesses, law enforcement, and cybersecurity experts.

However, not paying a ransom carries risks, and Latitude may face potential repercussions from the attackers. Each organization must consider its unique situation and risks when responding to a cyberattack.

Making informed decisions: Weighing risks and benefits in ransomware attacks

Tech Wire Asia discussed Latitude’s stance on ransomware payment with Sean Duca, Vice President and Regional Chief Security Officer at Palo Alto Networks. Duca believes that paying a ransom can be detrimental but acknowledges that each organization must determine its risk tolerance and assess the impact of stolen data on a case-by-case basis.

“An organization must be open to discussions to understand the true impact of the breach. For example, if hackers steal credit card numbers but don’t have access to the CCV or expiry date, it’s much more difficult for them to use the data,” he added. “But if it was critical infrastructure, where there can be life-or-death situations, such as a hospital, this changes the risk equation for an organization. Ultimately, it’s up to an organization to determine its risk tolerance and whether or not it has done everything it can to protect the data of past and present customers.”

Organizations worldwide must carefully evaluate their response strategies, considering the long-term effects of their decision on the overall cybersecurity landscape. While paying a ransom might offer a quicker resolution in the short term, it can also contribute to the growth and sophistication of criminal groups. Conversely, refusing to pay a ransom can be seen as a strong stance against cybercrime but carries the risk of further repercussions from the attackers.

In conclusion, the decision to pay or not pay a ransom during a cyberattack is a complex one that must be carefully considered on a case-by-case basis. By weighing the potential risks and benefits, organizations can make informed choices prioritizing the security of their customers, employees, and the broader community.