Lawyer sees the logic in data hack ransom deal
United States company Blackbaud’s decision to pay off hackers, helping to secure data for two NZ universities, is understandable, a Wellington lawyer says.
“It’s a tough, two-edged call to pay the ransom — but I can understand why they decided to pay,” said Wigley & Co principal Michael Wigley.
“Toughing it out against ransom demands might have been worse. At least it’s a wake-up call for the universities and the provider, so improved cybersecurity is likely.”
On Thursday, the University of Auckland sent an email to alumni and donors, saying their information had been “involved” in a ransomware attack on Blackbaud, a Nasdaq-listed US company that specialises in handling databases for non-profits.
And in an email to alumni on the same day, Otago University deputy vice-chancellor Helen Nicholson said clarification was being sought from Blackbaud on whether data sent by the university in 2014 might have been affected.
The attack took place in May. Blackbaud said in a statement: “Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed.”
In paying up quickly, Blackbaud went against most law-enforcement advice, but saved itself the embarrassment of having samples of its files made public online.
Blackbaud would not comment on the size of the ransom, but other highprofile attacks on large companies, such as the TravelEx attack in January, have seen demands in the region of US$5-6 million.
Auckland University said it did not know the amount of ransom paid by Blackbaud. It was not party to the transaction.
The NZ Police and Crown cybercrime agency Cert NZ recommend that those hit by ransomware do not pay. Data may not be unencrypted or returned as promised, and the proceeds often go to criminal gangs, helping to sustain operations in other areas such as drug and human trafficking.
Copies of data might not be destroyed, but instead used for blackmail, and returned data can be boobytrapped to allow future access to an organisation’s network, Cert NZ deputy director Declan Ingram recently told the Weekend Herald.
But Wigley said earlier that commercial pragmatism would result in some companies deciding to pay a ransom if it was lower than the cost of restoring lost data.
Wigley added: “Sometimes paying out could even answer a legal duty. Say A has a duty to protect B’s information, such as under a contract or some other duty and a ransom leads to a breach of that duty.
“The ransomed company A has a duty to mitigate loss and one way to do that could be to pay out on the ransom.”