Home   News   National   Article

Don’t pay out to ransomware criminals, businesses warned


By PA News

Register for free to read more of the latest local news. It's easy and will only take a moment.



Click here to sign up to our free newsletters!
The Information Commissioner’s Office has issued a warning to firms over the dangers of paying ransom demands (PA)

Businesses have been warned not to pay ransom demands for data stolen in cyber attacks following a number of high-profile ransomware attacks on firms around the world.

The Information Commissioner’s Office (ICO) has issued the warning in response to claims from cyber criminals that paying a ransom reduces the scale of enforcement action taken against a firm by the data protection watchdog – which the ICO said was “incorrect”.

Ransomware is a form of cyber attack where criminals break into an organisation’s system and encrypt files, making them inaccessible, and demand a ransom payment in order to release them.

It has been used in a number of high-profile incidents, including the 2017 attack on the NHS.

The ICO said paying ransoms does not reduce the risk to individuals, is not an obligation under data protection law, and is not considered a reasonable step to safeguard data.

Engaging with cyber criminals and paying ransoms only incentivises other criminals and will not guarantee that compromised files are released
Information Commissioner John Edwards

The data protection watchdog also warned that making payments only encouraged criminals further.

“Engaging with cyber criminals and paying ransoms only incentivises other criminals and will not guarantee that compromised files are released,” Information Commissioner John Edwards said.

“It certainly does not reduce the scale or type of enforcement action from the ICO or the risk to individuals affected by an attack.

“We’ve seen cyber crime costing UK firms billions over the last five years. The response to that must be vigilance, good cyber hygiene, including keeping appropriate back-up files, and proper staff training to identify and stop attacks.

“Organisations will get more credit from those arrangements than by paying off the criminals.”

Last week, the UK and US sanctioned seven Russian nationals over their links to the development and deployment of ransomware, and the chief executive of the UK’s National Cyber Security Centre (NCSC), Lindy Cameron, has called the form of attack the “most acute cyber threat facing the UK”.

The ICO said in the event of a ransomware attack, it was a regulatory requirement for firms to report the incident to the ICO as the UK’s data regulator if people are put at high risk, and that firms should also notify the NCSC which would provide support and incident response.

Do you want to respond to this article? If so, click here to submit your thoughts and they may be published in print.

Keep up-to-date with important news from your community, and access exclusive, subscriber only content online. Read a copy of your favourite newspaper on any device via the HNM App.

Learn more


This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies - Learn More