Cybercrime What to do if your business is being held to ransom

Cybercrime, both against businesses and individuals, is becoming more common. It is both frightening and a major issue for businesses which may cause them to suffer significant financial losses. There are also potential legal issues which must be considered, especially if a customers’ data has been compromised.

Make it as difficult as possible for the hackers to get in

The best form of offence is a strong defence. Ensure you have technical advice from the start and make sure your online profile is fully protected, you can prevent many attempts at ‘Denial of Service’ attack and other online cyber attacks at source. However, if hackers do manage to get through and hold you to ransom, the most important thing to do is to isolate your computer/system immediately and seek further technical advice.

Inform the authorities

It is a crime for a hacker to attempt to extort money from you by locking your computer or threatening to publish damaging information about you. You should contact your local police as soon as possible, who may put you in touch with their Cybercrime Unit. There are techniques and software available to them which they can use to try to trace the source of the attack.

The National Fraud Intelligence Bureau (NFIB) sits alongside Action Fraud within the City of London Police which is the national policing lead for fraud. The NFIB uses millions of reports of fraud and cyber crime to identify serial offenders, organised crime gangs and established as well as emerging crime types. Action Fraud with Cyber Protect UK warn people about ransomware and the dangers associated with it through their twitter account and #RansomAware.

Inform your customers

Don’t do what several large organisations have done in recent years and try and hide the attack from your customers. Tell them as soon as possible that their data may have been compromised and keep them updated on what you’re doing to rectify the situation.

The Information Commissioner’s Office (ICO) states:

• The General Data Protection Regulation (GDPR) introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.
• If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.
• You should ensure you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals.
• You must also keep a record of any personal data breaches, regardless of whether you are required to notify.

Don’t be fooled into thinking the hacker’s a ‘good guy’

One of the most common scams carried out by hackers is to claim that they are ‘online security experts’ and have hacked into your system to demonstrate weaknesses inherent within your network. For a ‘fee’ they’ll unlock your computer and tell you how they did it. The variation on this is to victim-blame, saying that it’s your own fault your security is weak, and unless you pay them they’ll pass on details about access points to your systems to other hackers.

Don’t pay them as a general rule

With so much vulnerable data at risk (and the corresponding cost to businesses if that data is then released on the internet), many businesses simply comply and pay up. That, unfortunately, does not mean the threat has passed. They still have your data and can continue to blackmail you for as long as they want to do so. Concerning ‘Denial of Service’ attacks or ‘lock-outs’, your hacker may give you a certain amount of time to comply. The best thing you can do at this point is to immediately inform the police and work with them, following their instructions on a case-by-case basis.

The payment of ransoms is not inherently unlawful, however, there are circumstances in which a ransom payment might be prohibited and trigger notification requirements to various regulatory bodies. The legality of making a ransom payment depends to some extent on the purpose to which the funds are to be put, which may not be easy to determine.

It is an offence to enter into an arrangement which one knows or has reasonable cause to suspect will or may result in funds being used for the purposes of terrorism. Therefore, if a firm has reason to suspect that a ransom payment would result in a benefit to terrorists, it should consider seeking consent from the NCA before making such a payment. It is an offence not to disclose a suspicion or belief of terrorist financing activity. Firms should also consider whether any exemptions apply.

Will I get my day in court?

The most likely answer is no. Most cyber-attacks originate from the other side of the world, not your local neighbourhood (although making sure your Wi-Fi network is properly passworded and protected is key to stopping ‘drive-by’ hackers gaining access). So the chances that you’ll see the perpetrator behind bars for their crimes is small. However, your evidence could be crucial to protecting not just yourself in the future, but other businesses too.  Always make sure you work with the authorities, and make sure you have legal advice, especially if your clients’ data has been compromised.

If you wish to discuss any cybercrime legal concerns please contact Richard Lamb, Solicitor, on 01732 355911 or rlamb@berryandlamberts.co.uk.

The contents of this article are for the purposes of general awareness only. They do not purport to constitute legal or professional advice.  The law may have changed since this article was published.   Readers should not act on the basis of the information included and should take appropriate professional advice upon their own particular circumstances.