Businesses have been warned not to pay ransom demands for data stolen in cyber attacks following a number of high-profile ransomware attacks on firms around the world.
The Information Commissioner’s Office (ICO) has issued the warning in response to claims from cyber criminals that paying a ransom reduces the scale of enforcement action taken against a firm by the data protection watchdog – which the ICO said was “incorrect”.
Ransomware is a form of cyber attack where criminals break into an organisation’s system and encrypt files, making them inaccessible, and demand a ransom payment in order to release them.
It has been used in a number of high-profile incidents, including the 2017 attack on the NHS.
The ICO said paying ransoms does not reduce the risk to individuals, is not an obligation under data protection law, and is not considered a reasonable step to safeguard data.
The data protection watchdog also warned that making payments only encouraged criminals further.
“Engaging with cyber criminals and paying ransoms only incentivises other criminals and will not guarantee that compromised files are released,” Information Commissioner John Edwards said.
“It certainly does not reduce the scale or type of enforcement action from the ICO or the risk to individuals affected by an attack.
“We’ve seen cyber crime costing UK firms billions over the last five years. The response to that must be vigilance, good cyber hygiene, including keeping appropriate back-up files, and proper staff training to identify and stop attacks.
“Organisations will get more credit from those arrangements than by paying off the criminals.”
Last week, the UK and US sanctioned seven Russian nationals over their links to the development and deployment of ransomware, and the chief executive of the UK’s National Cyber Security Centre (NCSC), Lindy Cameron, has called the form of attack the “most acute cyber threat facing the UK”.
The ICO said in the event of a ransomware attack, it was a regulatory requirement for firms to report the incident to the ICO as the UK’s data regulator if people are put at high risk, and that firms should also notify the NCSC which would provide support and incident response.