Ransomware: Should you pay?

The rise and rise of ransomware attacks

Following an initial surge at the beginning of the Covid-19 pandemic; the number of ransomware attacks in the UK has continued to rise steadily. The number of attacks reported to the Information Commissioner’s Office (“ICO”) doubled in the last year causing enormous disruption to businesses across the region. As technology advances, ransomware has adapted and evolved with attackers developing increasingly sophisticated techniques and tactics. The sectors most heavily impacted included finance, education, healthcare and insurance and as a result, a large number of organisations have felt compelled to pay a ransom in order to have their data decrypted.

As the number of ransom payments increase, the number of attackers is increasing. The National Cyber Security Centre (“NCSC”) identifies ransomware as the biggest cyber threat facing the United Kingdom. It is reported approximately 58% of stolen data contains personal data therefore all prudent organisations should be prepared to protect against such security incidents.

What is ransomware?

Ransomware is a type of malware that prevents organisations from accessing its computer or computer system (or the data that is stored on it). The computer itself may become locked, or the data on it might be stolen, deleted or encrypted. Some ransomware will also try to spread to other machines on the network.

Organisations are then invited to contact the attacker via an anonymous email address or webpage to make payment (usually via cryptocurrency) in order to secure return of the data. However, it goes without saying, that even if an organisation pays the ransom, there is no guarantee that it will get access to its computer system, or files.

High profile attacks

In August 2022, Advanced, which supplies vital software to the NHS was hit by a cyber-attack which reportedly targeted its Carenotes records system. This attack caused widespread outages within the health service across the UK, including ambulance dispatches, urgent treatment centres and NHS 111.

This incident follows a similar attack on the Irish healthcare system in 2021 during which all IT systems were shut following widespread disruption initiated by an “internationally operated criminal operation”.

As recently as this week, Australia’s largest health insurer, Medibank, announced that it would not pay a ransom for data from almost 9.7 million current and former customers that was stolen in a data hack.

How to protect your organisation

Cyber security is a constantly evolving arena therefore in order to protect itself from such attacks your organisation should implement robust technical and organisational measures to keep data secure.

In a recent joint letter, the ICO and NCSC note that some organisations are paying ransoms in the belief that this will reduce the risk of any enforcement action being taken by the regulator. However, the ICO has pointed out that ransom payments do not reduce the risk to individuals nor are they an obligation under data protection legislation.

The ICO has indicated it will not consider payment of a ransom as a mitigating factor when assessing the type or scale of enforcement action, however, it will consider any early engagement and co-operation with the NCSC positively when determining its response. Both agencies urge organisations to be vigilant and take the necessary steps to assess and remediate any gaps within their cyber security systems. The UK Information Commissioner also warns paying ransom demands will incentivise other attackers to strike and will not guarantee that any compromised files will be recovered.

We recommend considering the following to build an effective and robust cybersecurity system:

• Establish and communicate a set of suitable security and data protection policies;
• Implement regular staff training on the identification and prevention of cyber-attacks;
• Regularly backup data and (where appropriate) keep offline backup files;
• Establish an incident response and disaster recovery plan that addresses the full range of incidents that can occur and to test such incident management plans regularly.
• Identify your legal obligations regarding the reporting of incidents to regulators and understand how to comply with them in your business.

If you would like any further information or advice on these issues, please contact Laura Cunningham from the Commercial team.

*This information is for guidance purposes only and does not constitute, nor should be regarded, as a substitute for taking legal advice that is tailored to your circumstances.