Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security

CNA Financial Paid $40 Million in Ransom After March Cyberattack (bloomberg.com) 11

CNA Financial, among the largest insurance companies in the U.S., paid $40 million in late March to regain control of its network after a ransomware attack, Bloomberg News reported Thursday. From a report: The Chicago-based company paid the hackers about two weeks after a trove of company data was stolen, and CNA officials were locked out of their network, according to two people familiar with the attack who asked not to be named because they weren't authorized to discuss the matter publicly. In a statement, a CNA spokesperson said the company followed the law. She said the company consulted and shared intelligence about the attack and the hacker's identity with the FBI and the Treasury Department's Office of Foreign Assets Control, which said last year that facilitating ransom payments to hackers could pose sanctions risks.
This discussion has been archived. No new comments can be posted.

CNA Financial Paid $40 Million in Ransom After March Cyberattack

Comments Filter:
  • by Anonymous Coward on Thursday May 20, 2021 @03:56PM (#61404984)

    ...to placate script kiddies, they damn well have the cash to enact a $25/hour minimum wage for the hired help.

    • by Anonymous Coward
      Sure but why would they?

      If they advertise a job with the pay rate of half that and they end up with enough qualified applicants to fill the positions, why would they ever offer more than $12.50 just because they happen to have $40MM lying around? Which isn't to say they do have it, maybe they drew against credit, but regardless they have no reason to offer more as long as they are getting qualified applicants.
    • There's a difference between a one-time expense and ongoing expenses.

      Like affording to buy a $1000 laptop vs the rent going up $1000.

    • I don't know if they were script kiddies before, but with $40M, just think of the hacking talent and resources they can buy. The victims are feeding the beast.
    • by AmiMoJo ( 196126 )

      It's often not the lack of staff, it's the disruption that proper security creates. Getting the C levels to accept stuff that reduces productivity and costs money instead of making it is hard.

  • by Snotnose ( 212196 ) on Thursday May 20, 2021 @05:17PM (#61405150)
    If you get hacked and you pay a ransom or whatever, everyone in the Cxx suite is subject to jail time. Serious jail time, none of this 6 month house arrest BS.

    This is the only way the Cxx suite will see IT and information security as anything but a cost sink.
  • by t4eXanadu ( 143668 ) on Thursday May 20, 2021 @09:02PM (#61405666)

    I suspect the companies who decide to pay these huge ransoms are reasoning thusly: how much money do we lose by being down for x amount of time? Is that greater than the ransom demand? If yes, then pay the ransom.

    This might change if the government passed laws that levied huge penalties against companies that pay the ransom, then it might not be in their favor to pay it, and maybe instead they will invest in the security and training necessary to mitigate the risk in the first place.

  • I wonder whether terrorists are using ransomware to finance their other endeavors.

    (In addition to the ransomware itself being terroristic.)

    If they are, and you get hit by one that's recognized by the US government, paying the ransom is funding terrorists and would already be illegal.

    Ransomware and related malware is a logical tool for any of the use cases of asymmetric warfare - revolution, subversion, religious conquest, etc.

  • Plus stockholders should be able to bankrupt c-level officers who fail to have a tested ransomware plan.

No spitting on the Bus! Thank you, The Mgt.

Working...