Paying off hackers

The university at Aberystwyth, which lacks for a few more vowels, recently lost some data to hackers.

They weren't alone and a number of other educational establishments suffered the same fate.

The hole the hackers crawled through was left lying around by a company called Blackbaud, which provides software for these educational institutions. The attack was implemented via ransomware, which encrypts data and demands a fee for its subsequent decryption. The hackers also took a copy of some of the data.

Blackbaud paid the fee, which astonishes me. It isn't illegal to do so, which astonishes me even more, although security agencies worldwide recommend against it.

I can see how paying off hackers might look like the simplest solution for an organisation, but it's very selfish. It makes it worthwhile for the hackers to continue and it finances their exploits against other organisations. It's funding crime and I'm staggered that's not already illegal. It certainly should be.

In an act of what I can only assume is insanity, Blackbaud said, after paying off the hackers, that they've had:

… confirmation that the copy of the data they [the hackers] removed had been destroyed.

How can they possibly trust this?

There is absolutely no way you can know if a shady, criminal organisation has removed all copies of the data it stole.

If companies are only going to act in self-interest rather than the greater good, this is something that needs to be addressed at a government level.

There's something to be said for removable media. Back in my mainframe days, everything was backed up to tape and stored at a secure, off-site location. At least hackers can't access such media from behind a desk in another country. Sure, you might lose a day's data if you have to restore, but that's bearable and certainly better than losing the whole lot.