UNITED FACE £15m FINE IF THEY PAY HACKERS
MANCHESTER UNITED face a fine of up to £15million if they give in to the demands of cyber-hackers holding the club to ransom. The ‘double whammy’ threat emerged yesterday as United continued to fight the sophisticated attack that has crippled the club’s systems for more than a week, as revealed by Sportsmail. United are already faced with a ransom demand that is believed to run into millions of pounds — or risk highly-sensitive information being leaked into the public domain. However, if they pay the hackers to call off the attack, they could fall foul of new US legislation that is punishable by a fine of up to £15m. Although United are a UK-based company, the Glazer-owned club are listed on the New York Stock Exchange and therefore subject to US law. Their share price dropped yesterday in the wake of Sportsmail’s revelations. The US Treasury Department announced last month that any organisations meeting the ransom demands of hackers who appear on their global hit list risk incurring a hefty
financial penalty — even if the victims are not aware of the criminals’ identity. The list includes the Russian cybercrime gang Evil Corp, the North Korean Lazarus Group and SamSam ransomware attacks emanating from Iran. The US Office of Foreign Assets Control, an arm of the treasury, warned that paying the ransom demand would only boost the criminals’ finances and encourage them to strike again elsewhere. The OFAC statement read: ‘Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations. ‘Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims. ‘Ransomware payments may also embolden cyber actors to engage in future attacks.’ The OFAC and the UK’s National Cyber Security Centre have also warned organisations there is no guarantee criminals will keep their word if the demands are met. This may include not handing back sensitive information they have encrypted or leaking it on the internet. The threat of a US fine for United is in addition to the threat of a penalty of up to £18m from the independent UK Government body, Information Commissioner’s Office, if the data protection of their huge fanbase has been breached — although the club are not aware that is has. A spokesperson for the ICO said yesterday: ‘MUFC have made us aware of an incident and we are continuing to make enquiries.’ The timescale of those enquiries varies, with a range of actions available to the ICO. Last month they fined British Airways £20m and Marriott International £18.4m for failing to protect their customers’ personal information. The National Cyber Security Centre also issued a statement as the Old Trafford crisis continued yesterday. It read: ‘We are aware of an incident affecting Manchester United Football Club and have been working with law enforcement partners in response.’ It is understood the NCSC became involved after United contacted police following the attack nine days ago. The club have since been following a ransom protocol, but it is unclear if they will pay up. The attack is believed to have come from an email phishing scam, although United will not confirm it is ransomware, and are not commenting on the identity of the hackers or their motives. The club’s computer network is still down and staff are unable to access their company email accounts. However, United insist the disruption has been minor and has not affected matchday operations, with two home games taking place since the attack. They also pointed out that the club’s media channels and ecommerce operations have continued to operate smoothly.