Recent revelations that Uber paid a $100,000 ransom to two hackers has surprised many experts. But a look back at recent history shows a growing trend; for hackers it’s becoming a lucrative way of life.
Companies in Germany haven't been able to stay out of harm's way either. Deutsche Telekom made the headlines in June 2016 when the log-in data of lots of its clients appeared on dubious internet portals — valuable information in the truest sense of the word.
"Such data sets are the new currency of our tech-driven century," said Matthias Kettmann who studies internet law at Goethe University in Frankfurt. "We pay for quite a lot with our personal data, only people hardly realize that."
German information technology lobby group Bitkom recently tried to gauge the damage incurred through cybercrime in Germany. The association reckons that last year alone the damage for companies and authorities across Europe's powerhouse amounted to some €55 billion ($65 billion), caused by data theft and espionage. But that's only a rough estimate as many companies do not make hacking attacks public so as not to harm their reputation.
The new reality
Hacking has become an annoying part of doing business for many companies around the world. This week, Uber admitted that in 2016 hackers downloaded the data of 57 million riders and drivers from a cloud server. Then the company did what many other firms do and quietly paid a ransom of $100,000 to keep the matter hushed up.
Holding companies ransom is nothing new. In the past it was often more hands on when employees were physically held hostage in far-off corners of the globe. Oil service companies and journalists were favorite targets, but now the hostages are more virtual — data and locked computers — and hackers have recently targeted hospitals, airports, government agencies and companies like Sony, Netflix, Yahoo, Equifax, Cadbury and AP Moller-Maersk on their own territory.
A Hollywood ending
One of the most high-profile cases this year was HBO which had its servers hacked and was held up in the most Hollywood-like way. To show how serious they were, the hackers released two tranches of data including internal documents, emails and scripts for the network's successful show "Game of Thrones."
Sensing the possible damage, HBO initially offered the hackers $250,000, though the company was adamant that this payment be packaged as a "bug bounty" for finding technical vulnerabilities in the company's system, and not as a ransom payment.
After receiving the offer from HBO, the hackers demanded a less insulting $6 million to stop such releases.
What and whether the company paid was never revealed. But on Tuesday, an Iranian was charged in the case by the US attorney's office in New York with among other things wire fraud, computer hacking and aggravated identity theft. He is still in Iran.
It all started with Sony Pictures
The first case of industrial cyber hacking to get the wider public's attention was the massive attack on Sony in 2014. The hackers deleted data and released internal emails and documents. In the end Co-Chair Amy Pascal lost her job and the company spent around $41 million on investigations and cleanup — around 8 percent of the division's profit for that year. It also later reached an $8 million settlement with current and former employees.
Yet even years later as Hollywood tightens cyber security, nothing is impenetrable. Similar to the attack on HBO, episodes of Netflix's series "Orange is the New Black" were also released this year online before their official broadcast.
Read more: What is ransomware?
In September, Equifax, a credit reporting agency, admitted that the personal data of 143 million Americans was stolen including names, social security numbers, dates of birth, addresses and driver's license numbers. In some cases credit card numbers were also pinched.
Also this year, Yahoo finally admitted that all of its 3 billion users were hit by a massive hack back in 2013. Whether these companies were approached or indeed paid a ransom is unknown because most choose to keep this information under wraps. Though soon new EU regulations may shed more light in the ransom dark; as of next May companies will be required to notify regulators of data breaches within 3 days or face penalties.
Blame bitcoin, but don't pay
As bitcoin has become more commonplace, the number of companies held ransom has grown. Since bitcoin is nearly untraceable has become the currency of choice for global criminal activity. The Federal Bureau of Investigation's (FBI) Internet Crime Complaint Center says that the reports of ransomware have nearly doubled since 2014. Often systems are breached and data stolen without victims even realizing it has happened until they are contacted by hackers.
Nonetheless, cyber security experts and governments encourage individuals and companies not to pay up. The Computer Emergency Readiness Team, a part of America's Department of Homeland Security, discourages users from paying ransom, arguing that payment does not guarantee that computers will then be unlocked.
What they really want to do is to make hacking unprofitable and therefore less attractive. Yet for many paying ransom has simply become a part of doing business, though few companies ever admit it. For others it is a traumatic situation, leaving few other options than to pay. According to the New York Times, cyber security experts estimate that last year criminals made over $1 billion through various ransomware attacks.
But when individuals or companies pay they just open themselves up to the next hack. Blackmailers know who the easy targets are and who paid last time. Companies can take out cyber insurance, but these policies are very strict when it comes to paying ransoms without approval. Many government agencies are also powerless because dozens of countries forbid ransom payments through various anti-terror laws.
Still it's not all gloom and doom and experts have a short list of ways to avoid becoming a cyber victim: always update software; have antivirus software; have backups of data; and do not open suspicious emails, attachments or links. Importantly, all businesses should have a security plan for the worst case scenario.