DEV Community

Mitch Jackson
Mitch Jackson Subscriber

Posted on

Would you pay a data ransom?

TMBG Ticket

Ticketfly.com data breach

I was notified by Have I Been Pwned that my Name, E-Mail address, Mailing addresses and phone numbers were dumped publicly online as part of the ticketfly.com data ransom involving 26 million account records. Motherboard reports the attacker requested a ransom of 1BTC (~$7500). It's unclear if the request was ignored intentionally, or overlooked. In theory, it would have cost ticketfly.com $0.000288 to protect my customer record. Now the dark web knows I always buy tickets to see They Might Be Giants.

Would I pay the 1BTC ransom?

It's common advice that a blackmailer will never stop asking for more money. It's also safe to assume that just because the hacker doesn't publicly dump the data immediately, she/he will still be selling it on the black market.

However this is a low-cost ransom request. Paying the ransom may buy time to fix the vulnerability, and perhaps could have kept ticketfly online. I'm told that venues cannot buy, sell, or verify tickets for concerts this weekend. This is going to cause probably more than $7500 in damage to every ticketfly venue.

I'd would have paid the ransom.

What would you do?

Top comments (7)

Collapse
 
adamthewizard profile image
Adam

Well I could sell everything I own from my guitar collection to my car and I would have about £3000 if I'm very luck so I don't think I'd pay that lol maybe if I was skilled enough I would hold other people to ransom to pay mine! Aha (joking btw)

Collapse
 
mjac profile image
Mitch Jackson

They can't have my guitars, but if they took my old Peavy amp, then I could finally justify buying a new one!

Collapse
 
ben profile image
Ben Halpern

If I had confidence that paying the ransom would help keep the data truly secure and not paying it would result in the opposite, $7,500 is a tiny amount.

Of course, I don't think negotiating a ransom is that straightforward.

Collapse
 
mjac profile image
Mitch Jackson

I'd think of the $7500 payment as a wager with bad odds, considering there can be no confidence when somebody is blackmailing you.

Collapse
 
ferricoxide profile image
Thomas H Jones II

A couple things can mitigate the "need to pay" thing:

  • Good (and well-tested) backups — preferably redundant
  • Implement your infrastructure and application deployments as code

While neither of these protect you from "sharing" your data with the world, they do prevent you from being denied access to your data or your ability to function:

  • Live data got locked up? Restore your most recent backups
  • Locked out of your systems or your systems were straight up nuked or are otherwise undtrustworty? Nuke them from orbit and rebuild.

Yeah, the holes are still there (though, if you automate your deployments, it's at least likely that any given point of entry doesn't stay available sufficiently-long to be wholly compromised).

Does that help you against buggy, vulnerable code and not protecting your data in-flight or at rest? No. But if you're doing things right, those things are also taken care of in your designs.

But, in the end, it comes down to, if faced with the nightmare-scenario, what's the least-costly way to get back online is probably the choice you make.

Collapse
 
mjac profile image
Mitch Jackson

You highlight critical points: Automated backups, and a tested disaster recovery plan. I don't know how people think they can live without them.

Collapse
 
amazing_leader profile image
Amazing Leader • Edited

Nope, I have to charge it to the game(take the L).