> It should be illegal

It should be illegal to host insecure services, especially when you're dealing with PII. Breaches keep happening and nobody gives a fuck, because the worst that'll happen is you might lose a handful of customers and buy some "credit monitoring".

Incidents like this should be followed by an audit and charges being laid. Send corp officers to jail for negligent security failures. If you can go to jail for accounting fraud, you should be able to go to jail for cybersecurity-promises-fraud.

They claim to be compliant with a number of security standards [1]. I would love to see a postmortem audit of how much of this they actually implemented.

[1] https://www.instructure.com/en-au/trust-center/compliance

Shouldn’t we be focusing on making it harder to pay overseas criminals in the first place? /ahem/ crypto platforms facilitating transfers to bad actors /ahem/

One of those eye opening moments for me was learning about how these criminals work on trust. They need to be trusted to not release the data or to unencrypt when paid, and by and large they do.

One way to weaken any group that works on trust would be to make them less trustworthy. That way victims wouldn't be as confident paying the criminals and thereby making the effort by the criminals less attractive.

When will countries start treating cyberattacks as an act of war? If the North Korean military came to America and robbed fort Knox of $200M in gold there would be retribution. But hack an American company for the same amount and the feds do nothing.

Your "minimum sentence so painful" will certainly dissuade foreign nationals, even foreign governments.

i disagree wholeheartedly with this.

a loved one, gun to the head: "please pay the ransom, i don't want to die!"

what's your play now? save loved one, and go to prison? or worse, bank blocks transfer, and they die?

go ahead and tax ransom payments (0 tax if human life at risk, 10x otherwise) if you have to, but making it illegal feels disconnected from the messiness of the real world. then, go after the attackers.

If someone robs a bank and someone inside dies of a heart attack, thats felony murder. I would be happy if the same applied to ransom attacks or other blackmail/leaking of info. If someone commits suicide because of it, its murder.

> If you do this to a hospital and someone dies you are life in prison / chair.

If you're going to get the chair you might as well murder some witnesses or destroy some systems to hide the fact you got hacked. "Hack? What hack? Our servers all burned down in an arson attack".

We could also throw the CEOs of companies who don't properly secure their infrastructure and pay their security engineers enough in jail. A little justice on both ends.

The only way to prevent terrorism is to never meet terrorists' demands.

Failure to protect computer system from forseen failure should result passing corporate veil and resulting all stock holders and managers/leadership of funds to be jailed for same period as perpetrator. It is only way to ensure that these things are taken seriously and enough pressure is put on leadership of companies.

> No this will not stop this and companies need to be held accountable for their lack of security investment.

I think in principle, its sound. Im also just baffled hearing anecdotes from friends that are in big corp world and hearing the type of incidents they have, and how they respond to it.. It makes me wonder if there is enough capable talent to go around for the "boring corp" crowd.

Hint: I don't think there is nearly enough talent to go round, but for these companies, its either that they think they have solid experts (and didn't), OR its not a real priority until you get hit.

Or maybe it should be mandatory for all companies to pay ransomware attackers. Think of it as an involuntary bounty program. Now they get to just say 'sorry (for your hurt feelings)' and suffer no consequences.

Apart from the 4% of the total worldwide annual turnover fine that theoretically could be levied under GDPR, but has never been imposed in full.

> It should be illegal for any company to pay ransomware attacks. Period.

That makes as much sense as illegal to give your wallet to a mugger.

I.e. no sense.

1. It should be illegal to run insecure services. Massive Fines.

2. The payout to the hackers should form part, but not all of the penalties. Pay those guys for their great service to humanity they earned it.