Desperate companies are buying off data thieves and extortionists to recover stolen data, according to experts. They claim it is “common” for some businesses operating in Australia to pay ransoms to hackers and disgruntled employees to re-secure sensitive information or prevent illicit corporate activities from becoming public.
Law firm MMLC Group managing director, Matthew Murphy, said instances of companies buying back stolen data “happens quite a lot, but doesn’t hit the headlines” in Australia.
“Companies will try to keep it quiet. They might make an arrangement with an employee who has stolen data that could get them in trouble... like kick-backs that management isn’t aware of,” Murphy said.
“There are instances of employees taking data, maybe corporate data or access identities to extort the company... they are dealt with very quietly.
“Usually the employee is smart enough to have something else (other than one instance of stolen information) up their sleeves,” he said.
The German government made headlines this month after publicly stating its intent to pay $4.2 million for data stolen from Swiss bank HSBC that is thought to incriminate an alleged 1500 citizens with some $313.4 million in tax fraud. The move has inflamed political tensions between the countries and inflamed international pressure for Switzerland to become more transparent about the money and accounts in its famously secretive financial institutions.
In a separate incident, HSBC inadvertently exposed sensitive customer information last December when a ‘bug’ in its imaging software allowed redacted bankruptcy statements to be read.
Hack Labs director, Chris Gatford, a well-known IT security expert, said he is aware of businesses in Australia that have paid for data stolen from their organisations.
“Smaller-risk cases have occurred in Australia for some time,” Gatford said.
“The data is not as valuable as that [stolen from HSBC].”
Surete Group managing partner and former director of the Australian High Tech Crime Centre, Alastair MacGibbon, said businesses that buy back stolen data should be “extraordinarily” careful of breaching legal and corporate requirements.
“At the very least they are rewarding and perpetuating criminal acts. Criminal acts must be reported to the police, and legal advice should be sought for civil offences,” he said.
“There are ways to keep breaches confidential while still reporting the issue to authorities... do not keep your head in the sand, these things do not blow over.”