Do hackers really keep ransom promises?

A stunning article

Last week, a stunning article crossed my desk, which announced that the George W. Bush Center I.T. system had been hacked.  What’s worse, the hackers stole the personal information of hundreds of donors. Who were these donors? Were they major CEOs of companies like Melaleuca or Exxon who have a history of political giving? Whoever they were, they were BIG names with BIG money.  What’s WORSE, though, is the George W. Bush Center agreed to pay a ransom with the promise that the hackers would destroy the sensitive information.  Uh . . . ok, (wink wink), I’m sure these criminally-minded monsters were more than happy to stay true to a “promise” and destroy the records.

According to the Center, they “paid a ransom to the attackers in order to obtain confirmation that the compromised unencrypted information has been destroyed.”  Okay . . ., so assuming the hackers actually “destroyed” the unencrypted information, what exactly is/was that information? Well, according to reports, the unencrypted information that was compromised included names, birth dates, physical addresses, email addresses, telephone numbers, gender, and giving history. Yikes!!!

The way I look at it, the George W. Bush paid the ransom to calm the nerves of its donors, but the damage had already been done . . . and more damage is likely to follow.  Imagine the power of that list! These are MAJOR donors, giving thousands, tens of thousands, and even millions.  What’s to keep the hackers from selling these valuable lists to other entities eager for an opportunity to exploit millionaires and billionaires? The answer is: nothing!

Take a look at the wording of the Center’s quote when they said, “in order to obtain confirmation that the compromised unencrypted information has been destroyed.” Okay, so what exactly is “confirmation”?

Here’s one way it could have played out in an email exchange:

George W. Bush Center: “If we pay you this money, we need confirmation that you’ve destroyed the information!”

Hackers: “Yes, yes, of course. We will send you confirmation for sure!”

George W. Bush Center: “And what will that look like?”

Hackers: “We will send a message that says “This is confirmation that the information has been destroyed.”

George W. Bush Center: “Good. That will do!”

Hackers: “Okay, send us the money.”

George W. Bush Center: “Done.”

Hackers: “This email confirms that the information has been destroyed.”

George W. Bush Center: “Lovely. Thank you.”

In conclusion

I implore everyone reading this article to NOT, I repeat DO NOT pay a ransom to hackers. In this case the hackers weren’t even holding the I.T. systems hostage. They were merely holding private information of important people. Yes, not paying the ransom would have resulted in a public relations nightmare, but paying the ransom just puts you out more money and everyone knows the hackers aren’t really interested in being honest with the word.  After all, they ARE hackers, right?