Yesterday Uber revealed that it has kept silent for more than a year about a massive data breach impacting 57-million people. Hackers found and accessed data on an Amazon cloud server used by the firm. To keep the leak secret, Uber paid the hackers a ransom of $100,000.
The question of whether to give in to a hacker’s payment demands is complicated and often ambivalent. Making the right decision for your organization requires balancing all the variables. Costs, potential damage, harm to reputation and more. Succumbing to cyber bad-guy demands is tempting. After all, the cost is not significant in the larger scheme of things.
You have been hacked, and now your organization is being extorted. But just as you should not do business with terrorists, you should not do business with cyber attackers.
Here are a few reasons why you should not pay hackers:
- An attacker can release your data to additional parties, even when you pay the ransom.
- Once an attacker has been paid, he is motivated to continue launching attacks.
- An attacker can always ask for additional money.
- Trusting a hacker to act honorably makes as much sense as trusting a thief.
- The money attackers steal can be used to finance terror, organized crime and additional cyber crime.
So what should you do when you’ve been breached?
- Notify the relevant authorities such as local law enforcement, the FBI Internet Crime Complaint Center in the United States and Europol in the EU.
- Contact a cyber Incident Response provider, as well as a company which can carry out physical investigations as needed. Cynet provides frontline Incident Response, led by a team of seasoned experts who have helped global organizations and authorities identify and capture hackers who carry out online fraud and data breach.
- Have an action plan in place to detect and capture attackers and protect data
- Understand the source of the leak (according to information which was stolen) and if the hacker requests money, ask for an example of the data he claims to have in order to understand what he has accesses (this should be done in cooperation with law enforcement)
- There are many techniques which can be used to identify the attacker’s language, profile, country of origin, and IP, hours of activity (this can sometimes assist in identifying country of origin), address and more.
- Work by process of elimination: Could it be a current employee? Outside vendor? Local attacker? Attacker from another country? Speaker of a specific language? Someone who works at certain hours? Is it an individual or an organization? Etc.
- Do not play according to the attacker’s rules, make the attacker play by your rules.
- Tell the attacker to send you proof that data was actually stolen
- Buy time, tell the attacker that arranging payment takes time, you are a big organization which needs to go through an authorization process
- Ask the attacker to explain how exactly he breached your organization
- Tell the attacker you want to see that he is still inside your network
What can you do prior to being breached?
There is a long list of actions you can take to keep your organization secure – including: encrypting data, protecting data in the organization and in the cloud, protecting endpoints and networks, perimeter protection for emails and surfing, utilizing smart deception capabilities within the database and more.
What should you do once you have been hacked?
Obviously, you first need to deal with the current breach by implementing your Incident Response plan. Once this has been done, it is time to re-assess your security situation. If you utilize multiple silo solutions, it is difficult to achieve full visibility across the organization. A comprehensive security platform such as Cynet 360 provides visibility across all critical areas in the organization: endpoints, users, files and the entire network. This ensures real, accurate alerts – allowing your security IT team to work in a more efficient, effective manner to protect your assets and strengthen the organizational security posture.