An increasing number of ransomware victims in the UK hesitate to disclose cybersecurity incidents, noted NCSC Incident Management Deputy Director Eleanor Fairford and ICO Regulatory Cyber Director Mihaela Jembei.
This is the complaint of almost all law enforcement agencies across the world.
“They are the attacks that aren’t reported to us and pass quietly by, pushed to one side, the ransoms paid to make them go away,” they wrote in an NCSC blog post.
“And if attacks are covered up, the criminals enjoy greater success, and more attacks take place. We know how damaging this is.”
The NCSC-ICO joint blog post is the latest in a long list of regulatory warnings issued in the UK insisting firms to disclose cybersecurity incidents.
Why regulators insist firms to disclose cybersecurity incidents
In July 2022, NCSC and the ICO issued a joint open letter, demanding that lawyers should not advise clients to pay ransomware demands should they fall victim to a cyber-attack.
“In recent months, we have seen an increase in the number of ransomware attacks and ransom amounts being paid and we are aware that legal advisers are often retained to advise clients who have fallen victim to ransomware on how to respond and whether to pay,” said the letter.
“It has been suggested to us that a belief persists that payment of a ransom may protect the stolen data and/or result in a lower penalty by the ICO should it undertake an investigation. We would like to be clear that this is not the case.”
Law enforcement agencies neither support nor approve the act of paying ransoms, the letter said.
Although paying ransoms is not generally illegal, those who choose to pay should consider the potential impact of relevant sanctions policies, particularly those related to Russia, and the accompanying public guidance, which may alter the situation, it explained.
Furthermore, paying ransom encourages malicious actors to engage in further harmful activities, and it does not necessarily guarantee that the affected networks will be decrypted or that the stolen data will be returned, the letter warned.
The ICO advisory on ransomware and data protection is clear on ransomware payment: Don’t!
“Before paying the ransom, you should take into account that you are dealing with criminal and malicious actors. Even if you pay, there is no guarantee that they will provide you with the decryption key,” said the advisory.
“Double extortion’ is also common, where you pay for the decryption key and the attacker then requires an additional payment to stop the publication of the data. Attack groups may also target you again in the future if you have shown willingness to pay.”
Even if the victims fail to disclose cybersecurity incidents, law enforcement often catches up, as cybercriminals maintain the payment details, and often copies of pilfered data, noted the Europol Internet Organized Crime Threat Assessment Report 2020.
In negotiations with victims of ransomware attacks, cybercriminals often mention specific companies as proof that the victim’s data will be decrypted upon payment.
Some of these companies may negotiate with the criminals to obtain a larger discount on the ransom payment, which may or may not be reflected in the victim’s invoice.
According to the report, in exchange for using these companies, victims may receive a ransom discount and be discouraged from filing an official complaint with law enforcement.
“Not reporting cases to law enforcement agencies will obviously hamper any efforts, as important evidence and intelligence from different cases can be missed,” said the report.
“Furthermore, a case involving personal computers being targeted by ransomware shows that victims had opted to purchase new machines rather than report the event to law enforcement.
“Here victims were stunned when they were contacted by law enforcement over the ransomware attacks, and were under the impression that law enforcement would not do anything about the situation.”
However, organizations have another story to tell.
Why victims hesitate to disclose cybersecurity incidents
From loss of clients to regulatory fines and lengthy lawsuits, organizations have a long list of valid reasons not to disclose cybersecurity incidents or to play them down. These are the two common ones among them.
Fear of regulatory action and fines: This is a longstanding reason why victims hesitate to disclose cybersecurity incidents. The safety of your systems and the data they hold is squarely your responsibility, and any breach would put you on the bad side of the law.
The General Data Protection Regulation (GDPR), which came into effect in the EU in May 2018, has significant enforcement powers, with fines for violations reaching up to 20 million Euros or 4% of a company’s global annual revenue, whichever is greater.
In 2020, European data agencies imposed fines of $193 million (€159 million) for violations of GDPR, with the largest penalty of $57 million issued by French authorities to Google.
Although the US does not have a direct equivalent to GDPR, three states―California, Colorado, and Virginia―have implemented extensive consumer data privacy laws.
The three laws have several common provisions, such as the right to access and delete personal information, as well as the ability to opt-out of the sale of personal information, among other rights.
The US Securities and Exchange Commission (SEC) in March put a penalty of $3 million on software company Blackbaud to settle charges by for making misleading disclosures about a ransomware attack that affected over 13,000 customers in 2020.
According to the SEC’s order, Blackbaud announced on July 16, 2020, that the ransomware attacker did not access donor bank account information or social security numbers.
However, within days of this announcement, Blackbaud’s technology and customer relations personnel learned that the attacker had accessed and exfiltrated sensitive information, but failed to communicate this information to senior management responsible for its public disclosure.
This leads us to the next reason.
Fear of reputation damage and loss of business: Companies may fear that reporting a cybersecurity incident will damage their reputation, leading to a loss of trust among customers, investors, and other stakeholders.
They may worry that customers will choose to do business with competitors that have not had similar security breaches. They often choose not to disclose cybersecurity incidents or try to whitewash the situation.
This often leads to penalties, as in the case of Blackbaud.
Earlier, UK-based education and publishing firm Pearson received a $1 million penalty from the securities watchdog for deceiving investors about a 2018 data breach that led to the theft of millions of student records.
The agency discovered that Pearson had made misleading statements and omissions about the data breach, which resulted in the theft of millions of student usernames, scrambled passwords, and administrator login credentials for 13,000 schools, districts, and university customer accounts.
Even though the data breach had already occurred, Pearson referred to the incident as a hypothetical risk in a semi-annual review filed in July 2019, according to the SEC.
Likewise, in a release issued the same month, the company stated that the breach might include dates of birth and email addresses, despite being aware that such records had been stolen.
Why is it better to disclose cybersecurity incidents
The latest ICO-NCSC blog post lists six myths which make organizations decide not to disclose cybersecurity incidents.
Everything will be okay if I conceal the attack:
“Every successful cyber attack that is hushed up, with no investigation or information sharing, makes other attacks more likely because no one learns from it,” said the blog post.
“Every ransom that is quietly paid gives the criminals the message that these attacks work and it’s worth doing more.”
Reporting the incident to the authorities increases the likelihood of it becoming public: In the event of a cyber attack, seeking help from the National Cyber Security Centre (NCSC) or law enforcement can provide access to the support and resources available, advised the blog post.
According to the blog post, the ICO takes into account an organization’s proactive efforts to seek support and implement advice and is even considering explicitly reducing fines for those who positively engage.
In cases where public disclosure is necessary, the ICO will usually communicate with the company to avoid any surprises, it added.
Paying a ransom resolves the incident: The ICO does not support paying ransoms as a means of reducing risk to individuals, as it is not considered a reasonable safeguard under data protection law.
Similarly, the NCSC and law enforcement do not endorse, promote or encourage ransom payment.
The blog post encouraged victim organizations left out of options to contact with the law enforcement to help them understand the situation and identify vulnerabilities in their systems that may have allowed the attack to happen in the first place.
No need to pay ransom if there are good offline backups: It’s important to consider the sensitivity of the data you possess and the measures in place to secure it, as attackers may threaten to disclose it unless a ransom is paid, the blog post said.
It’s your responsibility to safeguard other people’s personal data at stake. Data protection laws require the proper handling and security of personal data.
If there is no evidence of data theft, no need to disclose: Always assume that data has been stolen if there is any indication that an attacker has accessed your systems holding data, warned the blog post.
Seeking early support and communicating openly can reduce the risk of future data leaks. Remember, lack of evidence is not evidence of absence, and poor situational awareness is not a sufficient technical control.
Organisations have a responsibility under data protection law and other legislation to report incidents where thresholds are met.
A fine is the only penalty for data leakage: The ICO will not always fine you just because there has been a data leak – it depends on the context of the individual case, the blog post noted. The regulator aims to help organizations improve their data protection practices rather than just punishing them.
If your organization has taken steps to understand and learn from the incident, and sought guidance and support, it could positively impact the ICO’s response.
Cybercriminal gangs may try to convince you that paying a ransom will prevent a huge fine, but don’t fall for their tactics. Seek support and communicate early to avoid further problems.