Good for them not to pay up!
that's all.
A London ad agency that counts Atlantic Records, Suzuki, and Penguin Random House among its clients has had its files dumped online by a ransomware gang, The Register can reveal. The7stars, based in London's West End, filed [PDF] revenues of £379.36m up from £326m, gross billing of £426m and net profit of £2.1m for the year …
I agree and I'd go further.
Any organisation should be granted immunity from prosecution under data protection laws in such circumstances[1]. It should be a crime, with draconian penalties attached, to pay the useless parasites.
[1] i.e. when a third party has broken in and nicked it for publication. Let's face it, if your house is burgled you do not get done for "aiding and abetting" if you do not have the best locks available installed.
Re the 'best locks' ... Actually under DP rules you do expect them to get the best locks they can afford. DP principles require security to be 'appropriate' so what this company should do needs to be appropriate based on their available finances and situation.
While you might not expect them to have the same level of technical security as HMRC or the NHS you would expect them to have more sophisticated tech than an accountant who is a Sole Trader.
If they haven't employed obvious security measures such as patching and the like they would have breached GDPR.
All that said the fact this is a criminal attack would be mitigation against any enforcement action.
The IT angle? Charlie Stross is one of Random Penguin's authors.
As always, "a sophisticated ransomware attack", I call bollocks. It will be a standard hack of a windows network carried out under the nose of the clueless pointy, clicky IT dept.
Try taking security seriously BEFORE the hack happens.
If you are a hospital and your patient records have all been compromised, you may not have a choice. Just the money that could be lost from not having billing records could well exceed the payment demands. You take your lumps and hopefully learn from the episode.
Spending the money on top quality IT is important these days. Having deep backups. Keeping records offline that don't need to be online. Maintaining separate systems so a junior staff member in the housekeeping department can't click the wrong link while on break and lock up the whole of R&D's work on next year's product introductions. Computerizing things was suppose to lower costs and increase efficiency. Did the people on the C level just hoover up all of that money?
I've seen photos of pre-calculator days when offices were full of clerks that kept track of things. It's like design departments that were a football pitch of draftsman all creating drawings one at a time. My drafting table has been in the garage for ages and I still have a big case full of pencils, templates, scales, you name it. I keep telling myself that I'll find a place to set it up someday. hmmmmmm.
Ahh, America and patient billing. Well, i can believe that most of the "insurance" money gets spend on anything except patiend care. What a wonderful system.
I am glad I live in the UK with the NHS rather than an 18th century healthcare system designed for the wealthy. THe NHS is not perfect, but at least it is free (If you live here)
The NHS also has it's own version of patient billing.
Everyone who has any medical interaction with a hospital will have their treatment documented and costed, with the figures heading off to a government dept so that the hospital can reclaim the mony.
This leads to teams of people being paid real money so they can administer a system whose sole only is to reclaim gevernmental inter-department plastic pennies.
Still, I suppose it will be so much easier for the incompetants who govern us to sell off the family silver when the hospital cost/profit ratio is known.
yep U.S. insurance companies are a scam, skimming at every position, patient, hospital, DR, every device, stack up tall at the end of the day. It is the #1 cost of health care in the US. But don't mistake UK healthcare as free, you and everyone else pay taxes for it. UK actual cost is much lower at the end of the day in the UK, not being skimmed at every chance. Getting the US to that without running off doctors (what happens in many countries that suddenly nationalize healthcare) isn't an easy path. These companies in the US have a very tight grip on politicians and businesses - I don't see things changing in my lifetime.
You can't keep all the threats off your system because you actually employed some of them. To mitigate ransomware threats you need to a) encrypt anything sensitive and b) BACKUP YOUR DATA. Other than that implement some basic intrusion prevention and maybe educate your idiots,.. sorry staff to NEVER CLICK on links in emails is about the best you can manage. Air-gapped systems are all well and good for military or research but not much use for an Ad Agency whose business relies on internet access.
" b) BACKUP YOUR DATA"
c) Store your backups outside of your network
d) test restoration from time to time.
maybe educate your idiots
Education: that's the most important part. Whatever the technical means, we can maybe deflect 1/3 of the attacks. The rest lies into the hand of users. they are the first line of defence, they must be integrated into the protection system. So shout the message, shout it again (education is also repetition), and again and again every 3 months.