NZ lawyer: Decision to pay hacker's ransom 'understandable'

"It's a tough, two-edged call to pay the ransom - but I can understand why they decided to pay," Wigley & Co principal Michael Wigley says.

The decision by US company Blackbaud to pay-off hackers, helping to secure data for two NZ universities is understandable, a Wellington lawyer says.

"It's a tough, two-edged call to pay the ransom - but I can understand why they decided to pay," Wigley & Co principal Michael Wigley says.

"Toughing it out against ransom demands might have been worse. At least it's a wake-up call for the universities and the provider, so improved cybersecurity is likely."

Yesterday, Auckland University sent an email to alumni and donors, saying their information had been "involved" in a ransomware attack on Blackbaud, a Nasdaq-listed US company that specialises in handling databases for non-profits.

And in an email to alumni on the same day, Otago University deputy vice-chancellor Helen Nicholson said clarification was being sought from Blackbaud on whether data sent by the university in 2014 might have been affected. The file contained information on a small number of alumni based in the US at the time.

The attack took place in May. Blackbaud said in a statement: "Because protecting our customers' data is our top priority, we paid the cybercriminal's demand with confirmation that the copy they removed had been destroyed."

In paying up, and paying up quickly, Blackbaud went against most law-enforcement advice, but also saved itself the embarrassment of having samples of its files made public online - a common tactic by ransomware gangs as they try to turn the screws; just ask Fisher & Paykel Appliances, which gritted its teeth and refused to negotiate as sensitive financials and planning documents were dumped in the public internet.

Blackbaud would not comment on the size of the ransom, but other high-profile attacks on large companies, such as the TravelEx attack in January, have seen demands in the region of US$5-6m.

Auckland University said it did not know the amount of the ransom paid by Blackbaud. It was not party to the transaction.

NZ Police and Crown cybercrime agency Cert NZ recommend that those hit by ransomware do not pay. Data may not be unencrypted or returned as promised, and the proceeds often go to criminal gangs, helping to sustain operations in other areas such as drug and human trafficking.

Copies of data might not be destroyed, but instead used for blackmail, and returned data can be booby-trapped to allow future access to an organisation's network, Cert NZ deputy director Declan Ingram recently told the Herald.

But Wigley said earlier that commercial pragmatism would see some companies decide to pay a ransom if it was lower than the cost of restoring lost data - an argument used by former Road Transport Forum head Ken Shirley when his organisation decided to pay a cyber-ransom.

Wigley added, "Sometimes paying out could even answer a legal duty. Say A has a duty to protect B's information, such as under a contract or some other duty and a ransom leads to a breach of that duty.

"The ransomed company A has a duty to mitigate loss and one way to do that could be to pay out on the ransom."

Blackbaud said it followed best-practice with its response to the ransomware attack on its systems.

It did not respond to a question from the Herald, asking for examples of best-practice guidelines that included paying a ransom.