> We are sorry. We regret that this incident has caused worry for our partners and people. We have begun the process to identify and contact those impacted and are working closely with law enforcement and the relevant regulators. We are fully committed to maintaining your trust.
I know there will by a bunch of cynics who say that an LLM or a PR crisis team wrote this post... but if they did, hats off. It is powerful and moving. This guys really falls on his sword / takes it on the chin.
I'll never not think of that South Park scene where they mocked BP's "We're so sorry" statement whenever I see one of those. I don't care if you're sorry or if you realize how much you betrayed your customers. Tell me how you investigated the root causes of the incident and how the results will prevent this scenario from ever happening again. Like, how many other deprecated third party systems were identified handling a significant portion of your customer data after this hack? Who declined to allocate the necessary budget to keep systems updated? That's the only way I will even consider giving some trust back. If you really want to apologise, start handing out cash or whatever to the people you betrayed. But mere words like these are absolutely meaningless in today's world. People are right to dismiss them.
I wouldn't be so quick. Everybody gets hacked, sooner or later. Whether they'll own up to it or not is what makes the difference and I've seen far, far worse than this response by Checkout.com, it seems to be one of the better responses to such an event that I've seen to date.
> Like, how many other deprecated third party systems were identified handling a significant portion of your customer data after this hack?
The problem with that is that you'll never know. Because you'd have to audit each and every service provider and I think only Ebay does that. And they're not exactly a paragon of virtue either.
> Who declined to allocate the necessary budget to keep systems updated?
See: prevention paradox. Until this sinks in it will happen over and over again.
> But mere words like these are absolutely meaningless in today's world. People are right to dismiss them.
Again, yes, but: they are at least attempting to use the right words. Now they need to follow them up with the right actions.
There are millions of companies even century or decade old ones without a hacking incident with data extraction. The whole everyone gets hacked is copium for a lack of security standards or here the lack of deprecation and having unmantained systems online with legacy data.
Right. Transparency doesn't mean telling about the attack that already happened. It means telling us about their issues and ways this could happen again. And they didn't even mention the investment amount for the security labs.
In attacks on software systems specifically though, I always find this aggressive stance toward the victimized business odd, especially when otherwise reasonable security standards have been met. You simply cannot plug all holes.
As AI tools accelerate hacking capabilities, at what point do we seriously start going after the attackers across borders and stop blaming the victimized businesses?
We solved this in the past. Let’s say you ran a brick-and-mortar business, and even though you secured your sensitive customer paperwork in a locked safe (which most probably didn’t), someone broke into the building and cracked the safe with industrial-grade drilling equipment.
You would rightly focus your ire and efforts on the perpetrators, and not say ”gahhh what an evil dumb business, you didn’t think to install a safe of at least 1 meter thick titanium to protect against industrial grade drilling!????”
If we want to have nice things going forward, the solution is going to have to involve much more aggressive cybercrime enforcement globally. If 100,000 North Koreans landed on the shores of Los Angeles and began looting en masse, the solution would not be to have everybody build medieval stone fortresses around their homes.
Words are cheap, but "We are sorry." is a surprisingly rare thing for a company to say (they will usually sugarcoat it, shift blame, add qualifiers, use weasel words, etc.), so it's refreshing to hear that.
This is a classic example of a fake apology: "We regret that this incident has caused worry for our partners and people" they are not really "sorry" that data was stolen but only "regret" that their partners are worried. No word on how they will prevent this in the future and how it even happened. Instead it gets downplayed ("legacy third-party","less than 25% were affected" (which is a huge number), no word on what data exactly).
How would the apology need to be worded so that it does not get interpreted as a fake apology?
In terms of "downplaying" it seems like they are pretty concrete in sharing the blast radius. If less than 25% of users were affected, how else should they phrase this? They do say that this was data used for onboarding merchants that was on a system that was used in the past and is no longer used.
I am as annoyed by companies sugar coating responses, but here the response sounds refreshingly concrete and more genuine than most.
I always presume the "We are sorry" opens up to financial compensation, whereas the "we regret that you are worried" does not.
In my country, this debate is being held WRT the atrocities my country committed in its (former) colonies, and towards enslaved humans¹. Our king and prime minister never truly "apologized". Because, I kid you not, the government fears that this opens up possibilities for financial reparation or compensation and the government doesn't want to pay this. They basically searched for the words that sound as close to apologies as possible, but aren't words that require one to act on the apologies.
¹ I'm talking about The Netherlands. Where such atrocities were committed as close as one and a half generations ago still (1949) (https://www.maastrichtuniversity.nl/blog/2022/10/how-do-dutc...) but mostly during what is still called "The Golden Age".
If i was a customer id be pissed off, but this is as good as a response you can have to an incident like this.
- timely response
- initial disclosure by company and not third party
- actual expression of shame and remorse
- a decent explanation of target/scope
i could imagine being cyclical about the statement, but look at other companies who have gotten breached in the past. very few of them do well on all points
> as good as a response you can have to an incident like this.
From customer perspective “in an effort to reduce the likelihood of this data becoming widely available, we’ve paid the ransom” is probably better, even if some people will not like it.
Also to really be transparent it’d be good to post a detailed postmortem along with audit results detailing other problems they (most likely) discovered.
No, that would not help me as a customer. Because I would never believe that that party would keep their word, besides, it can't be verified. You'll have that shadow hanging around for ever. The good thing is that those assholes now have less budget to go after the next party. The herd is safe from wolves by standing together, not by trying to see which of their number should be sacrificed next.
There’s a very real difference between the data possibly still being saved in some huge storage dump of a ransomware group and being available for everybody to exploit on a leak site.
It’s a sliding scale, where payment firmly pushes you in the more comfortable direction.
Also, the uncomfortable truth is that ransomware payments are very common. Not paying will make essentially no difference, the business would probably still be incredibly lucrative even if payment rates dropped to 5% of what they are now.
If there was global co-operation to outlaw ransom payments, that’d be great. Until then, individual companies refusing to pay is largely pointless.
If this is actually frequently happening, your claim should be pretty easy to prove. Most stolen databases are sold fairly publicly.
The ransom payments tend to be so big anyway that selling the data and associated reputational damage is most likely not worth the hassle.
Basic game theory shows that the best course of action for any ransomware group with multiple victims is to act honestly. You can never be sure, but the incentives are there and they’re pretty obvious.
The big groups are making in the neighbourhood of $billions, earning extra millions by sabotaging their main source of revenue seems ridiculous.
We’re talking about criminal organisations that depend on a certain level of trust to make any money at all.
Yes, the data might still leak. It’s absurd to suggest that it’s not less likely to leak if you pay.
There’s a reason why businesses very frequently arrive at the conclusion that it’s better to pay, and it’s not because they’re stupid or malicious. They actually have money on the line too, unlike almost everyone who would criticise them for paying.
Probably not that significantly, these are primarily crimes of opportunity. An attacker isn’t likely to do much research on the company until they already have access, and that point they might as well proceed (especially since getting hit a second time would be doubly awkward for the company, presumably dramatically increasing the chances of payment)
And selling the data from companies like Checkout.com is generally still worth a decent amount, even if nowhere close to the bigger ransom payments.
The donation is more or less virtue signaling rather than actual insight.
The problem can not be helped by research research against cybercrime. Proper practices for protections are well established and known, they just need to be implemented.
The amount donated should've rather be invested into better protections / hiring a person responsible in the company.
(Context: The hack happened on a not properly decomissioned legacy system.)
> The donation is more or less virtue signalling rather than actual insight.
I see it more as a middle finger to the perps: “look, we can afford to pay, here, see us pay that amount elsewhere, but you aren't getting it”. It isn't signalling virtue as much as it is signalling “fuck you and your ransom demands” in the hope that this will mark them as not an easy target for that sort of thing in future.
It also serves as a proxy for a punishment. They are, from one perspective, paying a voluntary fine based on their own assessment of their security failings.
For customers it signals sincerity and may help dampen outrage in their follow up dealings.
It is virtue signaling, especially considering the fact that doing the hard to swallow thing of paying the ransom would probably be the best outcome from a customer perspective.
Yes there are negative externalities in funding ransomware operations, not paying is still much more likely to hurt your customers than paying.
What is the problem with virtue signaling? By all means signal virtue! Perhaps you are concerned by cheap virtue signals, which have little significance.
The point here is that this is an expensive virtue signal. Although, it would be more effective if we knew how expensive it was.
> If companies want security, they should pay for security.
Or just properly follow best-practise, and their own procedures, internally.⁰
That was the failing here, which in an unusual act of honesty they are taking responsibility for in this matter.
--------
[0] That might be considered paying for security, indirectly, as it means having the resources available to make sure these things are done, and tracked so it can be proven they are done making slips difficult to happen and easy to track & hopefully rectify when they inevitably still do.
"The system was used for internal operational documents and merchant onboarding materials at that time"
To me it seems most likely that this is data collected during the KYC process during onboarding, meaning company documents, director passport or ID card scans, those kind of things. So the risk here for at least a few more years until all identity documents have expired is identity theft possibilities (e.g. fraudsters registering their company with another PSP using the stolen documents and then processing fraudulent payments until they get shut down, or signing up for bank accounts using their info and tax id).
Passport or ID card scans would never be be stored alongside general KYB information, e.g. the standard forms PSPs use.
If you read between the lines of the verbiage here, it looks like a general archived dropbox of stuff like PDF documents which the onboarding team used.
Since GDPR etc, items like passports, driving license data etc, has been kept in far more secure areas that low-level staff (e.g. people doing merchant onboarding) won't have easy access to.
I could be wrong but I would be fairly surprised if JPGs of passports were kept alongside docx files of merchant onboarding questionnaires.
The whole codebase & tools at whatever company I ever worked at was using 99% legacy stuff. Its wild...
Often times it would have been easier to rebuild the whole project over trying to upgrade 5-6 year old dependencies.
Ultimately the companies do not care about these kinda incidents. They say sorry, everyone laughs at them for a week and then after its business as usual, with that one thing fixed and still rolling legacy stuff for everything else.
When they say "The episode occurred when threat actors gained access to this third party legacy system which was not decommissioned properly. " for me it sounds like a not properly wiped disk that got into the the bad guys hands. It would be interesting to know more to be prepared for proper decommissioning of hardware.
So, I used to work in the fintech world and it looks to me like what was hacked was merchant KYB documents. I.e. when a merchant signs up for a PSP they have to provide various documentation about the business so the PSP can underwrite the risk of taking on this business. I.e. some PSPs won't deal with porn companies or travel companies or companies from certain regions etc.
This sort of data is generally treated very differently to the actual PANs and payment information (which are highly encrypted using HSMs).
So it's obviously shitty to get hacked, but if it was just KYB (or KYC) type information, it's not harming any individuals. A lot of KYB information is public (depending on country).
It's not just business data though - usually it will include ultimate beneficial owner and directors' passports, tax ID, etc. So there is a risk of identity theft there of potentially some very wealthy individuals.
> We will be donating the ransom amount to Carnegie Mellon University and the University of Oxford Cyber Security Center (OXCIS) to support their research in the fight against cybercrime.
Can this be tax deducted? Because this it sounds like gaslighting to change the narrative.
This one doesn't change that much like others said, but it is still burning money. Universities and their projects waste a lot of money - from buying hardware via complicated processes to projects wasting millions of USD (in cases I know it is EUR). Sponsored by companies like Samsung or Siemens, not releasing anything useful for years and still extending projects for "further research" :(
It's their money in this case so they can burn it any way they want and great to see they didn't support script kiddies here (assuming it was some leftover files on forgotten object storage bucket, sadly unencrypted or with keys available nearby).
To me this looks like getting hacked, donating to some public non-profit, deduct it via taxes (essentially spending nothing) and spin it online as a positive.
I've met a few people who genuinely believe that 'tax deductible' equates to 'essentially spending nothing' or somehow equate that the amount you donate would be an amount you would otherwise give to the Government in taxes so from your perspective it doesn't change anything.
This is definitely not the case. If you make $100 profit and you would have had to pay 20% corporate tax, then you pay $20 in taxes, you'd be left with $80 to buy chocolate or whatever you want.
If you donate $20 and deduct it from your profit, then your profit is now calculated at $80. So you pay $16 in taxes. So you saved $4 but spent $20, so you're $16 dollars down and now you only have $64 for chocolate, so not 'essentially nothing'.
That’s not how tax deductions work because a tax deduction doesn’t give you the full amount of your donation back it only reduces your taxable income, not your tax bill dollar-for-dollar.
Example:
You earn $100,000.
You donate $10,000 to a qualifying charity.
You can now deduct that $10,000, i.e. you’ll be taxed as if you earned $90,000, not $100,000.
If your marginal tax rate is 30%, you’ll save 30% of $10,000 = $3,000 in taxes.
So you’re still out $7,000 in real money.
> deduct it via taxes (essentially spending nothing)
Unless you're positing some very specific, unusual situation, this isn't how tax deductibility works. The dollar amount of a tax deductible donation is subtracted from your taxable income, not from your tax bill. So you're getting a discount on the donation equal to your marginal tax rate.
I love this part (no trolling from me):
I know there will by a bunch of cynics who say that an LLM or a PR crisis team wrote this post... but if they did, hats off. It is powerful and moving. This guys really falls on his sword / takes it on the chin.I'll never not think of that South Park scene where they mocked BP's "We're so sorry" statement whenever I see one of those. I don't care if you're sorry or if you realize how much you betrayed your customers. Tell me how you investigated the root causes of the incident and how the results will prevent this scenario from ever happening again. Like, how many other deprecated third party systems were identified handling a significant portion of your customer data after this hack? Who declined to allocate the necessary budget to keep systems updated? That's the only way I will even consider giving some trust back. If you really want to apologise, start handing out cash or whatever to the people you betrayed. But mere words like these are absolutely meaningless in today's world. People are right to dismiss them.
I wouldn't be so quick. Everybody gets hacked, sooner or later. Whether they'll own up to it or not is what makes the difference and I've seen far, far worse than this response by Checkout.com, it seems to be one of the better responses to such an event that I've seen to date.
> Like, how many other deprecated third party systems were identified handling a significant portion of your customer data after this hack?
The problem with that is that you'll never know. Because you'd have to audit each and every service provider and I think only Ebay does that. And they're not exactly a paragon of virtue either.
> Who declined to allocate the necessary budget to keep systems updated?
See: prevention paradox. Until this sinks in it will happen over and over again.
> But mere words like these are absolutely meaningless in today's world. People are right to dismiss them.
Again, yes, but: they are at least attempting to use the right words. Now they need to follow them up with the right actions.
Well said, ideally action comes first and then these actions can be communicated.
But in the real world, you have words ie. commitment before actions and a conclusion.
Best of luck to them.
There are millions of companies even century or decade old ones without a hacking incident with data extraction. The whole everyone gets hacked is copium for a lack of security standards or here the lack of deprecation and having unmantained systems online with legacy data.
>There are millions of companies even century or decade old ones without a hacking incident with data extraction.
Name five.
Right. Transparency doesn't mean telling about the attack that already happened. It means telling us about their issues and ways this could happen again. And they didn't even mention the investment amount for the security labs.
In attacks on software systems specifically though, I always find this aggressive stance toward the victimized business odd, especially when otherwise reasonable security standards have been met. You simply cannot plug all holes.
As AI tools accelerate hacking capabilities, at what point do we seriously start going after the attackers across borders and stop blaming the victimized businesses?
We solved this in the past. Let’s say you ran a brick-and-mortar business, and even though you secured your sensitive customer paperwork in a locked safe (which most probably didn’t), someone broke into the building and cracked the safe with industrial-grade drilling equipment.
You would rightly focus your ire and efforts on the perpetrators, and not say ”gahhh what an evil dumb business, you didn’t think to install a safe of at least 1 meter thick titanium to protect against industrial grade drilling!????”
If we want to have nice things going forward, the solution is going to have to involve much more aggressive cybercrime enforcement globally. If 100,000 North Koreans landed on the shores of Los Angeles and began looting en masse, the solution would not be to have everybody build medieval stone fortresses around their homes.
Words are cheap, but "We are sorry." is a surprisingly rare thing for a company to say (they will usually sugarcoat it, shift blame, add qualifiers, use weasel words, etc.), so it's refreshing to hear that.
This is a classic example of a fake apology: "We regret that this incident has caused worry for our partners and people" they are not really "sorry" that data was stolen but only "regret" that their partners are worried. No word on how they will prevent this in the future and how it even happened. Instead it gets downplayed ("legacy third-party","less than 25% were affected" (which is a huge number), no word on what data exactly).
How would the apology need to be worded so that it does not get interpreted as a fake apology?
In terms of "downplaying" it seems like they are pretty concrete in sharing the blast radius. If less than 25% of users were affected, how else should they phrase this? They do say that this was data used for onboarding merchants that was on a system that was used in the past and is no longer used.
I am as annoyed by companies sugar coating responses, but here the response sounds refreshingly concrete and more genuine than most.
"Up to 25% of users were affected." "As many as 25% of users were affected."
"A quarter of user accounts were affected. We have calculated that to be 7% of our customers."
I always presume the "We are sorry" opens up to financial compensation, whereas the "we regret that you are worried" does not.
In my country, this debate is being held WRT the atrocities my country committed in its (former) colonies, and towards enslaved humans¹. Our king and prime minister never truly "apologized". Because, I kid you not, the government fears that this opens up possibilities for financial reparation or compensation and the government doesn't want to pay this. They basically searched for the words that sound as close to apologies as possible, but aren't words that require one to act on the apologies.
¹ I'm talking about The Netherlands. Where such atrocities were committed as close as one and a half generations ago still (1949) (https://www.maastrichtuniversity.nl/blog/2022/10/how-do-dutc...) but mostly during what is still called "The Golden Age".
This was our mistake, and we take full responsibility.
That preceding line makes it, to me, a real apology. They admit fault.
Seems a bit harsh to leave out the rest of the apology and only focus on the part that is not much of an apology.
If i was a customer id be pissed off, but this is as good as a response you can have to an incident like this.
- timely response
- initial disclosure by company and not third party
- actual expression of shame and remorse
- a decent explanation of target/scope
i could imagine being cyclical about the statement, but look at other companies who have gotten breached in the past. very few of them do well on all points
> as good as a response you can have to an incident like this.
From customer perspective “in an effort to reduce the likelihood of this data becoming widely available, we’ve paid the ransom” is probably better, even if some people will not like it.
Also to really be transparent it’d be good to post a detailed postmortem along with audit results detailing other problems they (most likely) discovered.
No, that would not help me as a customer. Because I would never believe that that party would keep their word, besides, it can't be verified. You'll have that shadow hanging around for ever. The good thing is that those assholes now have less budget to go after the next party. The herd is safe from wolves by standing together, not by trying to see which of their number should be sacrificed next.
There’s a very real difference between the data possibly still being saved in some huge storage dump of a ransomware group and being available for everybody to exploit on a leak site.
It’s a sliding scale, where payment firmly pushes you in the more comfortable direction.
Also, the uncomfortable truth is that ransomware payments are very common. Not paying will make essentially no difference, the business would probably still be incredibly lucrative even if payment rates dropped to 5% of what they are now.
If there was global co-operation to outlaw ransom payments, that’d be great. Until then, individual companies refusing to pay is largely pointless.
Never pay the ransom.
The extortionist knows they cannot prove they destroyed the data, so they will eventually sell it anyway.
They will maybe hold off for a bit to prove their "reputation" or "legitimacy". Just don't pay.
If this is actually frequently happening, your claim should be pretty easy to prove. Most stolen databases are sold fairly publicly.
The ransom payments tend to be so big anyway that selling the data and associated reputational damage is most likely not worth the hassle.
Basic game theory shows that the best course of action for any ransomware group with multiple victims is to act honestly. You can never be sure, but the incentives are there and they’re pretty obvious.
The big groups are making in the neighbourhood of $billions, earning extra millions by sabotaging their main source of revenue seems ridiculous.
> reputational damage
Whoa. You're a crime organization. The data may as well "leak" the same way it leaked out of your victim's "reputable" system.
We’re talking about criminal organisations that depend on a certain level of trust to make any money at all.
Yes, the data might still leak. It’s absurd to suggest that it’s not less likely to leak if you pay.
There’s a reason why businesses very frequently arrive at the conclusion that it’s better to pay, and it’s not because they’re stupid or malicious. They actually have money on the line too, unlike almost everyone who would criticise them for paying.
I strongly disagree. Paying the ransom will put everyone in danger.
I would totally agree with you if we lived in a hypothetical world where ransomware payments aren’t super common anyway.
Until there is legislation to stop these payments, there will be countless situations where paying is simply the best option.
Depends. Not paying ransom decreases the likelihood of being attacked in the future.
Probably not that significantly, these are primarily crimes of opportunity. An attacker isn’t likely to do much research on the company until they already have access, and that point they might as well proceed (especially since getting hit a second time would be doubly awkward for the company, presumably dramatically increasing the chances of payment)
And selling the data from companies like Checkout.com is generally still worth a decent amount, even if nowhere close to the bigger ransom payments.
Ah yes let's fund literal criminal groups so they have an incentive to keep hacking people
The donation is more or less virtue signaling rather than actual insight.
The problem can not be helped by research research against cybercrime. Proper practices for protections are well established and known, they just need to be implemented.
The amount donated should've rather be invested into better protections / hiring a person responsible in the company.
(Context: The hack happened on a not properly decomissioned legacy system.)
> The donation is more or less virtue signalling rather than actual insight.
I see it more as a middle finger to the perps: “look, we can afford to pay, here, see us pay that amount elsewhere, but you aren't getting it”. It isn't signalling virtue as much as it is signalling “fuck you and your ransom demands” in the hope that this will mark them as not an easy target for that sort of thing in future.
It also serves as a proxy for a punishment. They are, from one perspective, paying a voluntary fine based on their own assessment of their security failings.
For customers it signals sincerity and may help dampen outrage in their follow up dealings.
At the stage we're at, I would far prefer virtue signalling to the more widespread vice signalling.
It is virtue signaling, especially considering the fact that doing the hard to swallow thing of paying the ransom would probably be the best outcome from a customer perspective.
Yes there are negative externalities in funding ransomware operations, not paying is still much more likely to hurt your customers than paying.
What is the problem with virtue signaling? By all means signal virtue! Perhaps you are concerned by cheap virtue signals, which have little significance.
The point here is that this is an expensive virtue signal. Although, it would be more effective if we knew how expensive it was.
I don't know what virtue signaling means. I think you mean they just did it out of spite.
There is not much to research. If companies want security, they should pay for security.
> If companies want security, they should pay for security.
Or just properly follow best-practise, and their own procedures, internally.⁰
That was the failing here, which in an unusual act of honesty they are taking responsibility for in this matter.
--------
[0] That might be considered paying for security, indirectly, as it means having the resources available to make sure these things are done, and tracked so it can be proven they are done making slips difficult to happen and easy to track & hopefully rectify when they inevitably still do.
Security is an arms race. Don't expect a leap; do your part to stay ahead.
"The system was used for internal operational documents and merchant onboarding materials at that time"
To me it seems most likely that this is data collected during the KYC process during onboarding, meaning company documents, director passport or ID card scans, those kind of things. So the risk here for at least a few more years until all identity documents have expired is identity theft possibilities (e.g. fraudsters registering their company with another PSP using the stolen documents and then processing fraudulent payments until they get shut down, or signing up for bank accounts using their info and tax id).
Passport or ID card scans would never be be stored alongside general KYB information, e.g. the standard forms PSPs use.
If you read between the lines of the verbiage here, it looks like a general archived dropbox of stuff like PDF documents which the onboarding team used.
Since GDPR etc, items like passports, driving license data etc, has been kept in far more secure areas that low-level staff (e.g. people doing merchant onboarding) won't have easy access to.
I could be wrong but I would be fairly surprised if JPGs of passports were kept alongside docx files of merchant onboarding questionnaires.
> The attackers gained access to a legacy, third-party cloud file storage system.
I think the answer is ok but the "third-party" bit reads like trying to deflect part of the blame on the cloud storage provider.
The whole codebase & tools at whatever company I ever worked at was using 99% legacy stuff. Its wild...
Often times it would have been easier to rebuild the whole project over trying to upgrade 5-6 year old dependencies.
Ultimately the companies do not care about these kinda incidents. They say sorry, everyone laughs at them for a week and then after its business as usual, with that one thing fixed and still rolling legacy stuff for everything else.
When they say "The episode occurred when threat actors gained access to this third party legacy system which was not decommissioned properly. " for me it sounds like a not properly wiped disk that got into the the bad guys hands. It would be interesting to know more to be prepared for proper decommissioning of hardware.
Or a cloud server which was never turned off.
So, I used to work in the fintech world and it looks to me like what was hacked was merchant KYB documents. I.e. when a merchant signs up for a PSP they have to provide various documentation about the business so the PSP can underwrite the risk of taking on this business. I.e. some PSPs won't deal with porn companies or travel companies or companies from certain regions etc.
This sort of data is generally treated very differently to the actual PANs and payment information (which are highly encrypted using HSMs).
So it's obviously shitty to get hacked, but if it was just KYB (or KYC) type information, it's not harming any individuals. A lot of KYB information is public (depending on country).
Fair play on them for being open about this.
It's not just business data though - usually it will include ultimate beneficial owner and directors' passports, tax ID, etc. So there is a risk of identity theft there of potentially some very wealthy individuals.
Sometimes cyber insurance will come to the rescue. That’s why companies Don’t pay.
Could this be aws s3?
> We will be donating the ransom amount to Carnegie Mellon University and the University of Oxford Cyber Security Center (OXCIS) to support their research in the fight against cybercrime.
Can this be tax deducted? Because this it sounds like gaslighting to change the narrative.
Something being tax deductible doesn't mean it is free. It still costs money, you just don't pay taxes over that money.
This one doesn't change that much like others said, but it is still burning money. Universities and their projects waste a lot of money - from buying hardware via complicated processes to projects wasting millions of USD (in cases I know it is EUR). Sponsored by companies like Samsung or Siemens, not releasing anything useful for years and still extending projects for "further research" :(
It's their money in this case so they can burn it any way they want and great to see they didn't support script kiddies here (assuming it was some leftover files on forgotten object storage bucket, sadly unencrypted or with keys available nearby).
It's not gaslighting. They were transparent enough to own their mistake. The donation isn't really the main story.
I believe you may be misusing the term gaslighting.
To me this looks like getting hacked, donating to some public non-profit, deduct it via taxes (essentially spending nothing) and spin it online as a positive.
I've met a few people who genuinely believe that 'tax deductible' equates to 'essentially spending nothing' or somehow equate that the amount you donate would be an amount you would otherwise give to the Government in taxes so from your perspective it doesn't change anything.
This is definitely not the case. If you make $100 profit and you would have had to pay 20% corporate tax, then you pay $20 in taxes, you'd be left with $80 to buy chocolate or whatever you want.
If you donate $20 and deduct it from your profit, then your profit is now calculated at $80. So you pay $16 in taxes. So you saved $4 but spent $20, so you're $16 dollars down and now you only have $64 for chocolate, so not 'essentially nothing'.
What if I buy chocolate as a corporate gift to my clients?! /jk
That’s not how tax deductions work because a tax deduction doesn’t give you the full amount of your donation back it only reduces your taxable income, not your tax bill dollar-for-dollar.
Example:
You earn $100,000.
You donate $10,000 to a qualifying charity.
You can now deduct that $10,000, i.e. you’ll be taxed as if you earned $90,000, not $100,000.
If your marginal tax rate is 30%, you’ll save 30% of $10,000 = $3,000 in taxes. So you’re still out $7,000 in real money.
> deduct it via taxes (essentially spending nothing)
Unless you're positing some very specific, unusual situation, this isn't how tax deductibility works. The dollar amount of a tax deductible donation is subtracted from your taxable income, not from your tax bill. So you're getting a discount on the donation equal to your marginal tax rate.
Even if it were, it'd be much more than anything others that got hacked have been doing..
> deduct it via taxes (essentially spending nothing)
That's not how tax deduction works.