Companies remain reluctant to admit paying hackers

Companies remain reluctant to admit paying hackers


Companies often refrain from disclosing that they have paid ransoms to cybercriminal groups after an attack, fearing that such an admission could pose legal and reputational risks.

Companies that choose to pay a ransom often do so to maintain or restore their business operations and to prevent hackers from publishing stolen data or making it inaccessible. Even when companies pay, hackers don’t always keep their promises not to publish stolen data, cybercrime experts say.

Caesars Entertainment Casino Operator,

for example, has not publicly stated that it paid hackers after a cyberattack in late summer. The Wall Street Journal reported last week that Caesars had paid about half of the $30 million ransom demanded by the hackers. Unlike competing MGM resorts,

which was hacked on September 10, Caesars appears to have avoided major technology outages. Caesars and MGM did not immediately respond to requests for comment.

In a Sept. 14 filing with the Securities and Exchange Commission, Caesars made no reference to paying a ransom, saying, “We have taken steps to ensure that the stolen data is deleted by the non-actor.” allowed, although we cannot guarantee this result. »

The issue reflects the challenges federal regulators face in imposing more transparency on how companies handle cyberattacks. Companies are often unwilling to disclose more information than is required, in part because they fear lawsuits and reputational blowback.

The SEC approved new rules in July requiring publicly traded companies to report, starting in December, the nature, scope and timing of significant cyberattacks in 8-K filings and other regulatory forms. Some companies are already reporting cyberattacks through this method, like Clorox, which filed an 8-K complaint regarding a hack that disrupted order processing for some products since August.

Some states, regulators, and the federal government have specific rules regarding incident reporting, or are considering implementing them, but the SEC’s are by far the most detailed.

The materiality threshold under the SEC rules would in many cases include whether a company paid a ransom, said Doron Goldstein, a privacy and cybersecurity partner at the law firm Withers.

Payments amounting to millions of dollars could be significant for some companies, Goldstein said. “We’re going to see more reporting on things that the public didn’t know were happening before,” he said.

The rate at which victims pay ransoms has been declining steadily for years, which cyber experts attribute to higher investments in security, better practices, and more extensive training and preparation in responding to attacks. incidents.

In the second quarter of 2023, a record 34% of attacks led to companies paying, according to Coveware, which negotiates with hackers on behalf of victims. This figure was 42% for the same period in 2022, 53% for the second quarter of 2021, 69% for the same period in 2020 and 79% in 2019.

At the same time, Coveware said, the average amount of ransoms paid has increased sharply in recent months to $740,144 at the end of the second quarter of 2023, an increase of 126% from the first quarter.

The cybersecurity industry is divided over whether companies should pay ransoms. The Federal Bureau of Investigation generally advises victims not to pay because it encourages more attacks. Companies that pay could be violating U.S. sanctions against cybercriminal groups or countries, said Nick Hyatt, head of cyber practice at security firm Optiv.

For certain sectors, the decision is based on delicate calculations. Broken computers and equipment in healthcare facilities, for example, can have deadly consequences. Casinos and hotels can be crippled by lengthy outages, which could harm local economies.

“As entertainment and hospitality are deeply ingrained in cities like Las Vegas, the repercussions of an attack can be widespread,” Hyatt said, referring to the hacks at MGM Resorts and Caesars.

In rare cases, companies have publicly admitted to paying a ransom. In 2021, Joseph Blount, chief executive of Colonial Pipeline, told the Wall Street Journal that he authorized a $4.4 million payment because executives were unsure of the magnitude of the effects of a attack on the energy company and the duration of this attack. take to restore operations. “I have to admit I wasn’t comfortable seeing money coming out the door of people like this,” Blount said at the time.

Companies may pay but not acknowledge it because of embarrassment or fear of providing ammunition for possible lawsuits, said Bob Zukis, CEO of the Digital Visitors Network, an organization that advocates for subject matter expertise. cybersecurity within company boards of directors.

“It would be an admission that it was a measure of last resort: there was nothing else we could do and so we had to pay,” he said. “Why put that out there?”

Caesars said in its SEC filing that hackers stole data from its loyalty program database, including members’ driver’s licenses and Social Security numbers.

“What do they have to gain by confirming that they paid millions of dollars to criminals who could attack a children’s hospital or charity the next day,” said Brett Callow, a threat analyst at Emsisoft, a company cybersecurity. “Being seen as funding these groups can be very bad publicity,” he said.

Write to Catherine Stupp at catherine.stupp@wsj.com and James Rundle at james.rundle@wsj.com

Copyright ©2022 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8



With a penchant for words, Eleon Smith began writing at an early age. As editor-in-chief of his high school newspaper, he honed his skills telling impactful stories. Smith went on to study journalism at Columbia University, where he graduated top of his class. After interning at the New York Times, Smith landed a role as a news writer. Over the past decade, he has covered major events like presidential elections and natural disasters. His ability to craft compelling narratives that capture the human experience has earned him acclaim. Though writing is his passion, Eleon also enjoys hiking, cooking and reading historical fiction in his free time. With an eye for detail and knack for storytelling, he continues making his mark at the forefront of journalism.
Back to top button