University pays ransom to hackers

Here we go again, folks. Just like the George W Bush Center I wrote about in an earlier post, another major organization’s I.T. infrastructure has been hacked and a ransom has been paid to hackers to “release” the information.  Although all cases of hacking and ransomware are troubling, this one is particularly troubling because hackers were able to gather the personal information of university students.  I have a feeling we’re going to see a lot more of this kind of ransomware activity in the coming months.  The cat is out of the bag! Organizations are proving that they WILL pay hackers who successfully steal data and hold it for ransom.

Let’s dig into the University of Utah situation a little further, shall we?

I would be a little naive to assume the university made this decision without consulting a massive amount of people including (ahem) I.T. professionals, lawyers, elected officials, etc. Clearly, the University of Utah is trying to cover its bases in case a lawsuit is filed by a student, which could easily turn into a class-action lawsuit.  By paying the $450,000 ransom, the university is able to show “proof” that they “fixed” the problem.  And, just like the George Bush Center, the University of Utah is probably ready show “proof” of the fix in the form of an official email from the ransom gang saying something like: We promise we deleted all the info!  Hugs!

Here’s what the university said in a statement:

“After careful consideration, the university decided to work with its cyber insurance provider to pay a fee to the ransomware attacker,” the university said today.

“This was done as a proactive and preventive step to ensure information was not released on the internet.

Uh huh . . . what does “released on the internet” exactly mean, anyway? Released on a public-facing website? Released in an email? Released on the darkweb? Released in a printed book for sale on eBay?

You can’t send lawyers knocking on the door

Yes, the University of Utah, probably thinks they’re saving themselves a lot of money from the fallout of an inevitable class-action suit by instead paying nearly half-a-million dollars to put the whole debacle to bed.  Unfortunately, they’re wrong. I’m willing to bet the $450,000 I don’t have that the hackers NEVER deleted the info and NEVER intend to do so.  Why would they? There’s still money to be made by selling it to other criminals.  And when that happens, what is the University of Utah going to do? They certainly can’t send lawyers knocking, because the university doesn’t even know which CONTINENT the hackers are on.

This is getting pathetic.