Ransom Payments by Companies Are Creating an Industry for Middlemen

Ransom payments are creating an industry for the middlemen of criminal enterprises involved in collecting ransoms, according to the Minister of State for Financial Services, Credit Unions and Insurance, Dep Jennifer Carroll MacNeill, who stated that “the payment of ransoms, following ransomware attacks, further fuels the industry of cyber-attacks”, which preys on vulnerabilities in organisations’ cyber security for profit. “A top concern of every CEO in Ireland is, or should be, cyber-crime”, given the threat it poses to organisations, she added.

The comments were made by the Minister at an event hosted by communications and public affairs agency Powerscourt on cyber-crime risks and how companies should best respond to cyber-attacks and threats to their data security.

The Minister said that there was a significant international effort to tackle cyber-crime and referenced the 2021 ransomware attack on the HSE, praising the contributions of “the United States, the FBI, and other international actors who helped us at that stage, but continue to help us identify those involved”.

The Minister went on to say that “there is a real discussion to be had about the prohibition or mandatory disclosure of ransomware payments” and how this may help to reduce volume of payments being made to cyber criminals, thus lowering the incentives for attacks.

“Unless we move to a system where there is an obligation to report ransomware attacks and a prohibition on paying ransoms, cyber-attacks by professional criminals are likely to persist”, added Doug McMahon, Partner at leading law firm McCann FitzGerald’s cyber risk and data protection practice, also speaking at the event.

“It is currently not illegal to pay a ransom in circumstances where you do not know the identity of the attacker. And because there is an evident cyber-crime industry, it is clear that ransoms are being paid, which has the effect of incentivising further cyber-crime”, he added.

Speakers at the event also included Helen Dixon, Data Protection Commissioner, Dr Richard Browne, Director of the National Cyber Security Centre, and Victoria Palmer-Moore, Managing Partner at Powerscourt and one of the UK’s leading crisis communications advisers.

Recent statistics published by the National Cyber Security Centre have found that more than one-in-five organisations in Ireland do not implement baseline security standards to protect against cyber-attacks, leaving them vulnerable to the increasing number of criminal enterprises seeking to obtain personal data.

Partner at Powerscourt, and head of its Dublin office, Eavan Gannon, said that,

“A successful cyber-attack can have a devastating effect on an organisation, potentially leading to the permanent loss of data privacy for its customers or other stakeholders. It can also seriously injure that organisation’s reputation in a way that might lead to long-lasting or irreparable damage to their businesses. In an increasingly dangerous online environment, companies must take urgent action, not only to bolster their cyber-security but to build effective contingency and communications plans to deal with what, for many, is a doomsday scenario.”