Ransomware: should you pay?

With recent research showing that the threat of large GDPR fines is encouraging UK IT directors to pay cyber ransoms (as reported in ComputerWeekly), and cyber attacks regularly hitting the headlines, it is hard for organisations to know how to respond to a ransomware demand. However, this week two regulators have published information which gives some guidance as to their current views on the subject.  On Tuesday the FCA published a ransomware infographic and speech urging organisations to follow National Crime Agency advice and not pay ransoms, while a day earlier the ICO published a monetary penalty notice criticising Uber for its ransom payment (alongside a number of security failings). 

In the latter, the data regulator fined Uber £385,000 for a 2016 cyber-attack involving 32 million non-US users (2.7 million of whom were based in the UK) and almost 82,000 UK based drivers. 

Uber paid the attackers $100,000 through its “bug bounty” programme – a programme which invites outside information security experts to search for vulnerabilities on Uber’s systems and tell Uber about them in exchange for a reward. The ICO stated that Uber US’s decision to treat the incident as a bug bounty rather than a security breach “demonstrates an inadequacy in its decision making when contacted by the attackers” and that this, together with other security failings, constituted “inadequacies in Uber US’s arrangements for ensuring the security of personal data on the [breached] system.” 

It is unclear from the monetary penalty notice (which sets out the ICO’s reasons for fining) whether it was unhappy with the payment of the ransom as such, or just the fact that it was paid as part of the ‘bug bounty’ programme. In any event, dressing up ransomware payments as rewards for identifying security flaws does not, it seems, go down well with the ICO.