The group claimed it typically demands around 1.5% of a company’s yearly revenue in ransom.
I love how they describe it like its an add on fee from an airline or something
Imagine bank robbers only asking for some arbitrary amount from the vault. There has to be a reason for this. They aren’t doing it out of the goodness of their hearts.
There is a practical reason for the amount. It has to be something the victim can afford and it can’t be so large that they decide it’s cheaper to just ignore the threat and deal with the fallout.
The hacker/scammer also, ironically, has to honor their word and stop releasing data once they’ve been paid off. Otherwise victims won’t pay because it’s a waste of money.
“I said $127,075.31! If you try to fucking round up again I’m going to start shooting!”
It is about as legitimate of a business model in a cyberpunk dystopia as the advertisers.
If only these people had an easier way to make money then they wouldn’t do this.
the information released has been restricted to the personal contact details of children who attend the nurseries, as well as their parents and carers.
I do not approve of this.
However.
Way too many childcare facilites are next to clueless about protecting their customers (i.e. children’s) data. Many believe it’s cool to have a rolling Facebook blog with pics of kids. Online solutions provided by the government are only secure if you know how to use them safely, and I do not know of any kindergarten that has its own IT personnel. And they are less convenient than mobile apps so parents/employees continue to use Whatsapp instead.
This has to be the stupidest group of hackers. Most of the information they have could be purchased legally from data brokers. Hell, a phone book is free.
The stolen information on the children includes medical records, incident reports and the allocation of drugs and medicine given to the children.
They’re trying to intimidate the group into protecting the privacy of the children - while there’s other ways to get the information, those other ways aren’t actively threatening to release the information publicly. It’s a decent enough move I suppose, though I doubt it will work since this company doesn’t care about the children and their reputation is going to be fine given how widely reported the hacking is. They’d have had a much better chance of getting a payout by going after the parents of kids with medical conditions or any other compromising information. How much could you have blackmailed the parents of an intersex kid for, given the current political climate, for example? Or one with an inheritable STD?
Please don’t try to whitewash these criminals as heroes in this story. They know their target, chose it deliberately and chose to release sensitive information about the victims of their own accord for their own gain.
Doing cybersecurity 100% right 100% of the time is damn hard work. Anyone that says ‘lol their security sucked, they deserved it’ has no idea how much work it takes to keep not only a complex system free from compromise, but also keep the users from shooting themselves in the face and taking the network down with them.
whitewash these criminals as heroes
Okay I’m being genuine here - how was that your takeaway from my comment? I don’t know if there’s a way to sound sincere over text, but I promise I’m not even being slightly snarky, 100% sincere: what?
My understanding of your first sentence in the first comment was that you were saying that the hackers were trying to ‘intimidate the group (the company) into protecting the privacy of the children’.
That is what I based my response on. If I misunderstand, I apologize. (also, I didn’t down vote you, for what it’s worth, I appreciate the sincerity).
Nah that’s 100% right, it’s just that that’s not a good thing. They’re putting the children’s privacy in jeopardy, then trying to intimidate the company into protecting that privacy by threatening to release it (to great fanfare) if they don’t pay up. No heroics involved. And on top of that it’s just a really boneheaded strategy, that company just does not give a fuck about children, why would they ever pay out when they can point to all this coverage of the evil evil hackers to deflect from their doubtlessly rampant security failures.
(Lol ty, I doubted it had been you)
All good… I mistook the attribution of intent.
But they’ll just slow drip the release anyway, going back for more and more ransom if they do pay.
I guess my thing is (not knowing the company from Adam) I’d assume they’d rather not have the kid’s info released rather than simply not caring about it. Being hacked doesn’t necessarily mean they’re careless - I think that is what I was trying to convey.
I’m almost solely responsible for cyber security at my job. I do my best, make the case for better protections, and secure things as best I can. If we got ransomwared, I’d be tempted to blow my head off. I have to get it right every single time. They have to get right or lucky just once.
