The big news in the security space in the last couple of days is Uber revealing that they got hacked last year. Moreover, they paid off hackers demanding money from them to keep this off the grid! Last year, a major breach at Uber gave hackers access to data of over 57 million user accounts. While one part of the debate is that Uber should have been better prepared to prevent a breach of this scale, the other side is that they actually paid the criminals about $100,000 to not reveal data publicly. In fact, this also helped Uber keep this incident under wraps for almost a year.
Hackers Demanding Money
Well, if you aren't aware, then let me help you understand that this is not a first of a kind incident. There have been many cases of hackers demanding money in the past as well. And companies in such positions hardly have options other than to pay up. In the last one year, we've helped three companies going through a similar situation. Thankfully, none of them had to shell out any cash to hackers.
But it's not even about the money. We encourage businesses that we talk to, to not pay the ransom. There are so many white hat hackers out there who hunt bugs in exchange for recognition or bounty. That is great for businesses because they can leverage the knowledge of the crowd. In fact, companies should have public bug bounty programs to be able to reward white hat hackers as they report critical issues. Unethical hackers, on the other hand, are more likely to demand ransom where brands end up feeling threatened. In simple words, it's pure blackmail! Paying money in such cases only encourages this behaviour.
Fact is that a lot of companies face a similar situation with unethical hackers. Companies are known to maintain separate Bitcoin wallets to handle situations like these where hackers demand bitcoins.
In light of the recent Uber breach, Csaba Krasznay, a security evangelist at Balabit.com said, "In the security practice, paying a ransom is usually cheaper than paying the price of corrective actions after a successful breach.That is why the cybercrime model works: 'We have your data, pay us X bitcoins and we won't publish it on the Darknet.' Or: 'We started a DDoS attack against your service, pay Y bitcoins and we'll stop it.' "
According to the FBI, ransomware payments have increased tremendously in the last few years, from $24 million in 2015 to close to $1 billion a year later.
What's Wrong with Paying Hackers Demanding Money
Often there's debate on what's wrong with paying hackers demanding bitcoins or money in return for keeping your data safe from being published on the dark web. I mentioned how this is exactly like blackmailing. Put yourself in the shoes of the company as a person, and think whether you'd pay a blackmailer or a kidnapper. Well, probably you might promise to pay, but it would be great if you also inform the cops. How does that help? Well, for starters, there is a possibility that you might not have to pay anything at all. Secondly, if the cops identify culprits it helps make everyone aware of a certain situation or criminal.
Put this in the Uber scenario. Ideally, the company should have announced this last year itself, irrespective of whether they paid off a bunch of criminals or not. By being silent about it for a year, they just empowered them for a long time. Rather, the company should have tried raising public awareness about this. By paying off the criminals, you are only inviting them to come back for more, later.
It's Not Just Uber - The Issue is Widespread
Sadly, it's not just Uber. While it is difficult to say which businesses paid off hackers in a similar situation (because of course, no one talks about it!), it is insider story that many businesses face this situation and more often than not, it's just easier to pay off the crooks!
In the recent Equifax hack this year, hackers were demanding $2.6 million in bitcoins or else they would expose private information of more than 143 million people.
The demand said that if they do not receive the funds from Equifax by September 15th, they will publicize the data.
In the ransom demand the hackers said:
"We are two people trying to solve our lives and those of our families. We did not expect to get as much information as we did, nor do we want to affect any citizen. But we need to monetize the information as soon as possible.”
If you are a Game of Thrones fan, you know that HBO had a similar situation where hackers demanded millions in ransom or else they would publicly share unaired episodes and scripts.
What Are Your Options When There are Hackers Demanding Money
The thing is that hackers have become very smart with their demands. A decade ago, hackers would get their hands on 50 million accounts and they'd ask for $10 million! Of course, the business would say no. Today, they ask $200,000 and businesses think it is way cheaper than the PR damage, legal fees, etc.
So, do businesses have to pay up or do they have an option? Well, I believe there's always an option but sometimes you need to be prepared.
1. First and foremost, verify the claims. Check what data is actually lost and how much impact does it have on your organization.
2. Run a public bug bounty program or clearly mention a process for responsible disclosure on your website. You'll know why in the next step.
3. Buy yourself some time. Share details about your bug bounty or responsible disclosure program. Tell that you will verify claims and reward them. Do not feel threatened.
4. Always have an action plan for a scenario like this. Find out how you could rapidly create a system to keep your users safe, etc.
5. Have a PR plan. Sometimes it is okay to accept that you messed up but take ownership and help the community. All this only once you've figured out the above 4 points.
Sometimes, paying off hackers demanding money might be the easiest thing to do. But understand that this will not keep you safe. Once they know that you are open to paying up, more of them will show up at your door. Invest in beefing up your security infrastructure, try using multiple security testing products, create an action plan for a worst case scenario, and more. End of the day, this is a business decision. Decide what is right for your business at that point in time but always try to encourage this situation.