UK ‘increasingly concerned’ ransomware victims are keeping incidents secret

British authorities are “increasingly concerned” that ransomware victims in the country are keeping incidents secret, the National Cyber Security Centre (NCSC) said.

In a blog post published Thursday morning local time and co-written with the Information Commissioner’s Office (ICO), the body responsible for upholding data protection laws including obligations to disclose breaches, the NCSC said both organizations “deal with the fallout from serious cyber attacks every day.”

“Our responsibilities are different, but we both work on incidents that can take down businesses, severely impact national services and infrastructure, and massively disrupt people’s day-to-day lives,” the organizations wrote.

However it’s “the attacks we don’t hear about… that aren’t reported to us and pass quietly by, pushed to one side, the ransoms paid to make them go away,” that are driving anxieties among the authorities.

“If attacks are covered up, the criminals enjoy greater success, and more attacks take place,” said the NCSC.

In their blog post, the organizations tackle a number of “myths around responding to cyber attacks,” stating that more transparency is a good thing for everyone.

The myths include that reporting incidents makes it more likely that they will be publicized; that making an extortion payment can make the incident go away; or that having good offline backups means organizations won’t have to pay a ransom.

Eleanor Fairford, the NCSC’s deputy director for incident management, said: “Keeping a cyber attack secret helps nobody except the perpetrators so we strongly encourage victims to report incidents and seek support to help effectively deal with the fallout.

“By responding openly and sharing information, organizations can help mitigate the risk to their operations and reputation, as well break the cycle of crime to prevent others from falling victim,” she added.

Mihaela Jembei, the director of regulatory cyber at the ICO, said: “The fact remains that there is a regulatory requirement to report cyber incidents to the ICO, but transparency is more than simply complying with the law. Cyber crime is a borderless and global threat and it’s through knowledge sharing that we can help organizations help themselves.”

Their message follows comments made by Jen Easterly, the head of the U.S. Cybersecurity and Infrastructure Security Agency, who criticized the typical way businesses handle incidents.

“When most companies detect a cyber-intrusion, too often their default response is: call the lawyers, bring in an incident response firm, and share information only to the minimum extent required,” Easterly co-wrote in an article for Foreign Affairs. “They often neglect to report cyber-intrusions to the government for fear of regulatory liability and reputational damage. In today’s highly connected world, this is a race to the bottom.”