The majority of cyber attacks go one of two ways:
- Customer data is stolen and sold on the dark web.
- Company data is encrypted until a fee is paid (ransomware).
However, there is a third type of cyber attack that’s becoming increasingly common: online extortion.
Online extortion differs from ransomware attacks in that, rather than encrypting files, cyber criminals steal company data and threaten to release it unless a fee is paid.
The reason this differs from ransomware is that, in most cases, organisations can restore their data from a backup. The damage that can be done by extortionists is to the organisation’s reputation.
A recent example is the attack on WestPark Capital, a Los Angeles-based investment bank. ‘TheDarkOverlord’, an unidentified person or group, stole the organisation’s data and, after the bank rejected their “handsome business proposal”, posted the data online for all to see.
The DarkOverlord struck again this month, this time stealing sensitive corporate data from US glue manufacturer Gorilla Glue. So far, TheDarkOverlord has released 200GB of the 500GB it claims to have stolen to journalists at Motherboard.
Prevention is the best protection
Organisations that find themselves in this situation have two options, both of which are bad in their own way. Do you refuse to pay and have your and your customers’ data released on the web for all to see, or do you pay the fee and be known by criminals as a soft touch?
If you want to avoid being put in that position, you need to act before being attacked, and follow international best practice to protect every single piece of data your organisation holds.
The first of many steps to avoid online extortion is to download our free green paper Cyber Security & ISO 27001: An introduction and learn how smart organisations are protecting their critical information assets and their reputations with ISO 27001 certification.
Cyber crime is a hot topic, and the last thing you want is to hit the headlines for all the wrong reasons.