Every week we hear about the latest business or government agency hacked and held to ransom, and if it goes unpaid, the data of customers and staff will be leaked.

The method is simple.

Get an unsuspecting staff member to click on a link or attachment on an email.

Then the malware will do the rest.

Some criminals are more sophisticated and cunning.

They will sit and patiently observe the organisation from within.

They get a lay of land and make an assessment of how much they think the organisation would pay in ransom when they unleashed encryption on their files.

This means in practice locking up servers and information held after they have often exfiltrated data.

The encryption in short order is followed by the extortion demands.

Common among these are a demand to the organisation to send a couple of encrypted files so they can decrypt them (proving they have the keys), others will just post a sample of the data online for the world to see with the threat of more coming if the ransom is not paid.

Creatively the criminals will also have timers or clocks that countdown the remaining time left to pay the ransom.

This week we had Accenture have files published.

But in a twist that is becoming all too common, the Accenture files were removed and the clock to pay the ransom restarted.

So what’s happening when clocks are restarting or harvested information removed?

Well more often than not you know the breached organisation is in negotiations with criminals.

The bargaining on price has begun.

So is there honour among thieves?

How can anyone trust a criminal who hacks an organisation and steals data?

We know some law firms take the view that if you pay and the information is no longer available the incident doesn’t need to be notified to impacted persons under privacy laws.

This is a very big call.

How do you know the criminals haven’t already shared the data – I mean none of us use a dark net hackers forum as a litmus as to whether someone has copied or shared information.

What bizaaro world do we live in that this act ever became the measure of trust?

The simple fact of it is that those who hack are committing crimes.

Those who extort are committing crimes.

And it is these crimes that have the greatest of consequence on the people that have at the centre of the foray their information.

It is not the organisation who is negotiating on their behalf in the hope of not having to tell them.

Privacy laws need to either wake up to this reality or regulators need to get their hands dirty and call out such behaviour as being deplorable.

There is no honour among thieves and the lives of many are being used as pawns in a game of cover up.

Kathy Sundstrom is a former Sunshine Coast Daily journalist who now works at identity and cyber support service IDCARE.

More Coverage

Call for action over secret ransoms paid to criminal gangs

Jennifer Dudley-Nicholson

Small farmer in ‘firing line’ of vicious ransomware attack

Kathy Sundstrom

Originally published as Ransomware has exploded: Privacy laws need to change to stop hackers