Bloomberg reported just over a week ago that some 20 million usernames and email addresses had been offered for sale after the Russian online dating service Topface was hacked. Atlanta-based fraud detection firm Easy Solutions discovered the breach when a hacker calling himself ‘Mastermind’ claimed “to be in possession of over 20 million credentials”, including “over 7 million credentials from Hotmail, 2.5 million from Yahoo and 2.2 million from Gmail.com.”

In a statement released at the time, Topface CEO Dmitry Filatov reassured customers that there was nothing to worry about:

“We are pretty sure that our users will not have any problems even if any data was stolen from our service.”

A few days later, it seemed that Filatov was less optimistic.

According to NBC:

“Topface Chief Executive Dmitry Filatov said the company located the hacker, who had published ads to sell the data but had not actually sold them. ‘We have paid him an award for finding a vulnerability and agreed on further cooperation in the field of data security,’ Filatov said in an email on Friday, declining to disclose the size of the reward.”

Dangerous precedent

It’s not an award. It’s a ransom.

And agreeing on “further cooperation in the field of data security”? I know the global shortage of cyber security expertise is prompting many firms to consider employing hackers to help with their security efforts, but employing the actual person who attacked you? In what other sector would that be acceptable?

‘Awarding’ hackers – or ceding to their blackmail demands – is unwise. The thing about blackmail is that even if you pay up, you’re still going to be a victim. It’s well known that paying off blackmailers just encourages them to keep blackmailing: if they’ve still got the data, they still have the leverage, and you’ve shown yourself to be willing to pay.

International best-practice approach

The sensible approach is to ensure the security of the information you hold in the first place.

The international best-practice standard ISO 27001 sets out the specifications for an information security management system (ISMS), an enterprise-wide approach to information security that encompasses people, processes and technology that can be employed by organisations of all sizes, sectors and locations.

If you’re concerned about security breaches, data losses, and subsequent blackmail by hackers, then an ISMS will provide the best approach to securing your information assets, protecting your reputation, reassuring your stakeholders, and ensuring your compliance with a host of international legislation – including the forthcoming General Data Protection Directive.

IT Governance’s ISO 27001 Packaged Solutions provide fixed-price implementation resources and consultancy support for all organisations, whatever their budget or expertise.

Find out how you can deploy ISO27001 to help protect your business in cyber space