How Would You Respond to a Ransom Demand?
Since we have been talking a lot about ransomware lately, here is a slightly different twist to it. A few weeks ago, hackers stole the whole upcoming season of Orange is the New Black and leaked 10 episodes on the Internet after the studio refused to pay their ransom. Likely this had a significant effect on advertising rates for the hit series and may affect the show’s viewership as the most rabid fans probably viewed the pirated versions.
But now, Disney has admitted that real life (cyber) pirates have stolen a copy of the new Pirates of the Caribbean movie that is due out next week and are demanding what Disney says is a huge ransom. They say that if they do not get the ransom, which Disney says they are not going to pay, that they will release 20 minute segments until they do get paid. So far, they have not released anything. While this MAY not have much of an effect on the theatre revenue since it comes with popcorn and a big screen experience, it could impact DVD and PPV revenue, neither of which come with popcorn.
In both of these cases, Pirates and OITNB, the movies (and the number of movies and TV series stolen now come to almost 40), were likely stolen from suppliers, not from the studios themselves.
This sort of begs two questions.
First, how good is your third party vendor risk management program? Do you know if your vendors’ information security programs are up to dealing with a cyber attack?
And, second, what would you do if a hacker stole your intellectual property, possibly deleting or worse yet corrupting what was left behind (note that if the hackers know that you have, say 10 days of backups and wait until day 11 to tell you that they corrupted your data, you would not have a clean backup to restore and likely would not know what they corrupted)? What if the hackers stole, say, NFL players socials, credit cards and legal records as happened after a breach at PIP printing that went on for four months earlier this year? Or if hackers stole confidential client information from a law firm? Or all of the mortgage applications from a mortgage company?
Some hackers are figuring out that they can extract more money from stealing intellectual property than by stealing credit cards.
If you don’t pay the ransom and they do release the information, the legal fees, fines, lost customers, reputational damage and other costs could be very significant.
One question to ask is whether you have extortion insurance coverage for intellectual property extortion, but the bigger question is are you ready to deal with this situation? It could cost you lawsuits and lost clients, so it is a serious situation – one that should be planned for in advance.
Don’t hope that the bad guys are going to pass you over. For the most part, it is a crime of opportunity caused by an employee opening the wrong email or clicking on the wrong link. The hackers don’t, for the most part, care who’s intellectual property they steal.
Now is the time to plan for the worst and hope for the best.