You can't police the world.
I mean, it's just extortion. Nothing is being ransomed, you don't get something back and you can't really secure something already lost. It suffers from the same problems as other forms of extortion, namely that you can't really trust the other party to do what you want and really they have no incentive to do so.
Why not just offer a monthly subscription "service"?
Appeasement has never worked.
The only factor that matters is the adversaries residing in a jurisdiction with a lack of enforcement.
You make it sound like a simplistic game with set rules. There will be myriads of other reasons to breach companies, and even strictly sticking to the money part, doing ransom/extortion can have secondary and tertiary effects worth enough to do it even if the ransom fails.
If you look at it as a market, the victim is only one actor among many.
The only sustainable solution is to make crime no longer pay. Nothing else will work.
Basically making crime no longer pay best
Why wouldn't they do that and sell the data?
And there's of course paths to pay without losing face, like hiring a negociator or a recovery firm that acts like a bridge for the money[0]. We came to accept that companies don't act ethically and will only maximize profit, yet the narrative is still stuck on that weird assumption they care about the future of society regarding ransomware.
[0] https://zendata.security/2025/07/08/ransomware-negotiator-sc...
It might even be helpful: you could prevent the incentive to pay for security breaches regardless of the negotiation outcome.
Yes. The GDPR has provisions for this. But enforcement is still relatively light.
The reason they didn't pay is because they conducted a cost benefit analysis and decided it's not worth it to them.
No, it's not irrelevant because that future might be tomorrow. The criminals remain in possession of the data whether they get paid or not, that is, the extortion can be restarted the next day (or hour) after payment.
There's no way to trust an anonymous group you know nothing about, be it to keep their word or to keep your data safe from individual members or splintering groups.
No, whenever they decide not to pay it's because they made the decision to absorb the damage rather than pay criminals who may or not be sanctioned (and that fact may later emerge) creating additional liability. So you know that when they pay the damage would have been very great indeed. In this instance the damage is likely minor or more likely, off-sourced.
Nobody is not going to pay because that will be better for the collective to let the ransomware industry die. They may however choose to publicly state that as the reason.
Don’t pay the ransom, hackers release a subset to the public for free, then sell the rest privately
Good on Quantas for not negotiating, bad on them for shit security.
they probably didnt feel that there was a threat, as privacy of their customer's data wasn't very high on their priority list - after all, they didnt secure that data very well in the first place leading to the stolen data!
Curious, what's the worst a bad actor do with name, email address, phone number and birth date?
This kind of fraud is not special in Australia, it happens thousands of times every single day. There is currently no way to prevent it.
On another note, it's important to keep in mind that this is really the bank's problem. It's not something consumers should worry about.
> global data was stolen between April 2024 and September 2025 and includes personal and contact information of the companies’ customers and employees, including dates of birth, purchase histories and passport numbers.
which contradicts the previous statement
we'd like to think these scams are stupid but unfortunately they work
«Happy birthday! As a loyal Quantas customer, we would like to offer you a sneak peek of our upcoming Black Friday deals. Consider it a little birthday present from us.»
> “No company wants to see, you know, hundreds of thousands, or, millions of records of their customers just on the internet,” Kirk said. “That’s awful. It’s awful for the companies. It’s awful for the people affected.”
This reads to me like : "Well yeah sorry to our customers, but we're not taking a loss for our incompetance"
There's no winners here.
meanwhile I am struggling to confirm my identity to Google, what the .. :`)
Workaccount2•3mo ago
So all things that have likely been leaked 30 times already? Perhaps except the fly miles
amelius•3mo ago
sidpatil•3mo ago
ceejayoz•3mo ago
dns_snek•3mo ago
A system where they didn't get our address at all would be great but I think we would also need alternative payment providers that don't share any billing-related address information with the business.
atonse•3mo ago
I suppose that’s still better cuz then it also creates a centralized point and resources for securing the database.
LPisGood•3mo ago
I feel like if you have someone’s name, it’s not hard at all to find their birthday
djmips•3mo ago
makeitdouble•3mo ago
esseph•3mo ago