I don't see why a company would pay a ransom to protect their customers from identity theft -- the losses are public, while the costs to them are a very small number of customers that read about this, think they're likely to lose the data again, didn't already lose their data in this leak, remember this story at the time of purchase, and value that more than things like ticket time or ticket price. I don't think the hackers should be making any money this way.
That's the official stance, but if it really mattered they'd pay.
And there's of course paths to pay without losing face, like hiring a negociator or a recovery firm that acts like a bridge for the money[0]. We came to accept that companies don't act ethically and will only maximize profit, yet the narrative is still stuck on that weird assumption they care about the future of society regarding ransomware.
Tragedy of the commons. It's irrelevant to the extorted company whether or not it becomes more common in the future, they have a much bigger problem now.
The reason they didn't pay is because they conducted a cost benefit analysis and decided it's not worth it to them.
> It's irrelevant to the extorted company whether or not it becomes more common in the future, they have a much bigger problem now.
No, it's not irrelevant because that future might be tomorrow. The criminals remain in possession of the data whether they get paid or not, that is, the extortion can be restarted the next day (or hour) after payment.
There's no way to trust an anonymous group you know nothing about, be it to keep their word or to keep your data safe from individual members or splintering groups.
That would be part of the cost benefit analysis. And you would be surprised how "trustworthy" these ransomware groups are. Probably because publishing the data is a hassle they would rather do without, and finding actual buyers for such data is hard (corporations don't tend to have black budgets).
No, whenever they decide not to pay it's because they made the decision to absorb the damage rather than pay criminals who may or not be sanctioned (and that fact may later emerge) creating additional liability. So you know that when they pay the damage would have been very great indeed. In this instance the damage is likely minor or more likely, off-sourced.
Nobody is not going to pay because that will be better for the collective to let the ransomware industry die. They may however choose to publicly state that as the reason.
The current groups, sure, but the existence of a functioning market tends to bring in more participants. Or to put it another way, there are plenty of smart people in the world who found themselves born in a less-than-ideal country and are willing to solve their problems through crime.
The only sustainable solution is to make crime no longer pay. Nothing else will work.
The other solution is making those “less than ideal” countries have more attractive legal economic opportunities so that crime isn’t an attractive alternative.
The only reason these persist is because companies pay out and they can receive it in untraceable crypto currency in countries that are nearly to prosecute them in.
You make it sound like a simplistic game with set rules. There will be myriads of other reasons to breach companies, and even strictly sticking to the money part, doing ransom/extortion can have secondary and tertiary effects worth enough to do it even if the ransom fails.
If you look at it as a market, the victim is only one actor among many.
I think ransom is also a bit of a misnomer that the hackers deliberately use to frame the transaction in a more positive light.
I mean, it's just extortion. Nothing is being ransomed, you don't get something back and you can't really secure something already lost. It suffers from the same problems as other forms of extortion, namely that you can't really trust the other party to do what you want and really they have no incentive to do so.
And the best part? The ransomware startup can now mark the income as MRR extending to infinity, thereby significantly increasing the startup's valuation! If you want to learn more about B2B sales, hit that like button and click on this .exe file to subscribe for more updates.
but the parent post's point still stands - extortion (or ransom) requires something important to be held. If the private data of customers is not actually important, it cannot be used as a threat in the extortion.
We have public agencies like the police that are paid for by the tax-payers for securing property. Are there similar agencies who are incentivized to stop these situations. During the pipeline breaches several years back, I recall aggressive action to disrupt the money-trail.
To the extent these situation are as illegal as property theft, public agencies tasked with law enforcement, like the police, are in the same position to secure your data as they are to secure your property, no?
It’s even more dystopian than that. In Australia itself, Qantas is the only carrier between many cities. So if you decide to not book Qantas, you’re potentially driving across the Outback.
> The Qantas data, which was stolen from a Salesforce database in a major cyber-attack in June, included customers’ email addresses, phone numbers, birth dates and frequent flyer numbers. It did not contain credit card details, financial information or passport details.
Curious, what's the worst a bad actor do with name, email address, phone number and birth date?
Phishing. Super easy now to send a fake email with a great offer, and have your name and loyalty programme number right there in the email. Much easier to trick someone when your email contains a bunch of personal info that you wouldn’t assume others to have.
«Happy birthday! As a loyal Quantas customer, we would like to offer you a sneak peek of our upcoming Black Friday deals. Consider it a little birthday present from us.»
To apply for a credit card in Australia, you need to supply at least two forms of ID, such as an Australian driver's license, passport, or Medicare card.
Do the banks actually check that the documents are legit? I'm sure your favorite LLM can generate pictures of all these documents in the blink of an eye.
Because they usually don't, and they certainly don't in Australia where it's essentially impossible. The government run IDMatch DVS can verify that the biographic information is correct, but can not verify the authenticity of the document.
This kind of fraud is not special in Australia, it happens thousands of times every single day. There is currently no way to prevent it.
The last time I applied for a credit card (about 4 years ago) in Australia, the bank used an app that read the photo page and chip of my passport to verify that it was a real document. That process does verify the authenticity of the document.
There are IDs in Australia which can be verified this way. There are also more than enough accepted IDs that can not, rendering such verification mechanisms rather pointless.
On another note, it's important to keep in mind that this is really the bank's problem. It's not something consumers should worry about.
> global data was stolen between April 2024 and September 2025 and includes personal and contact information of the companies’ customers and employees, including dates of birth, purchase histories and passport numbers.
scam call you with further fake extortions like "I'm in jail mom you need to bail me out!" since they have birthdates they can target older people for this. my mom has received at least four of these calls, since I always get the "ARE YOU OK? WAS THAT A SCAM?" phone call afterwards. the first time it happened, they were about to go to the bank to wire money when dad said, "let's try calling his cell!"
we'd like to think these scams are stupid but unfortunately they work
Authenticate to phone banking in the name of a customer and request a personal loan. And in general, open a large line of credit in someone else's name.
This you can do somewhere? My bank asks me 20 questions (many like my first pet name, the last transaction I did etc) and then calls me back on the registered phone number. That data alone should get you nothing really. For credit here , small or large, you have to prove you are you or you get a nice police escort. Most of these apps, even if you are already registered, want you to tap your passport to nfc and scan your face for anything serious.
Surely name, email, phone and date of birth aren't enough to do this at any bank? That's not quite public info but near enough. I've filled that in on hundreds of forms during my life and it's info that any of my friends have.
Yes, it's a sad situation we're in. We need am indirection step in addresses. So companies don't have our actual address but instead have a handle they can use to interact with that address. And then the actual addresses should be guarded with more responsibility.
But that's just an identifier which you can easily update when you move, like a domain=>IP mapping? Businesses still have your physical address.
A system where they didn't get our address at all would be great but I think we would also need alternative payment providers that don't share any billing-related address information with the business.
they probably didnt feel that there was a threat, as privacy of their customer's data wasn't very high on their priority list - after all, they didnt secure that data very well in the first place leading to the stolen data!
This topic is always a mixed bag for me, on the one hand I don't think you should pay ransom groups as it encourages more, but also their security should be better.
> “No company wants to see, you know, hundreds of thousands, or, millions of records of their customers just on the internet,” Kirk said. “That’s awful. It’s awful for the companies. It’s awful for the people affected.”
This reads to me like : "Well yeah sorry to our customers, but we're not taking a loss for our incompetance"
I don't see why a company would pay a ransom to protect their customers from identity theft -- the losses are public, while the costs to them are a very small number of customers that read about this, think they're likely to lose the data again, didn't already lose their data in this leak, remember this story at the time of purchase, and value that more than things like ticket time or ticket price. I don't think the hackers should be making any money this way.
It's much simpler: paying will result in more crime like this.
That's the official stance, but if it really mattered they'd pay.
And there's of course paths to pay without losing face, like hiring a negociator or a recovery firm that acts like a bridge for the money[0]. We came to accept that companies don't act ethically and will only maximize profit, yet the narrative is still stuck on that weird assumption they care about the future of society regarding ransomware.
[0] https://zendata.security/2025/07/08/ransomware-negotiator-sc...
Shouldn't the company be punished for the security failure in the first place?
It might even be helpful: you could prevent the incentive to pay for security breaches regardless of the negotiation outcome.
> Shouldn't the company be punished for the security failure in the first place?
Yes. The GDPR has provisions for this. But enforcement is still relatively light.
Tragedy of the commons. It's irrelevant to the extorted company whether or not it becomes more common in the future, they have a much bigger problem now.
The reason they didn't pay is because they conducted a cost benefit analysis and decided it's not worth it to them.
> It's irrelevant to the extorted company whether or not it becomes more common in the future, they have a much bigger problem now.
No, it's not irrelevant because that future might be tomorrow. The criminals remain in possession of the data whether they get paid or not, that is, the extortion can be restarted the next day (or hour) after payment.
There's no way to trust an anonymous group you know nothing about, be it to keep their word or to keep your data safe from individual members or splintering groups.
That would be part of the cost benefit analysis. And you would be surprised how "trustworthy" these ransomware groups are. Probably because publishing the data is a hassle they would rather do without, and finding actual buyers for such data is hard (corporations don't tend to have black budgets).
No, whenever they decide not to pay it's because they made the decision to absorb the damage rather than pay criminals who may or not be sanctioned (and that fact may later emerge) creating additional liability. So you know that when they pay the damage would have been very great indeed. In this instance the damage is likely minor or more likely, off-sourced.
Nobody is not going to pay because that will be better for the collective to let the ransomware industry die. They may however choose to publicly state that as the reason.
You never know. Pay them enough and they might retire to an island somewhere instead.
The current groups, sure, but the existence of a functioning market tends to bring in more participants. Or to put it another way, there are plenty of smart people in the world who found themselves born in a less-than-ideal country and are willing to solve their problems through crime.
The only sustainable solution is to make crime no longer pay. Nothing else will work.
The other solution is making those “less than ideal” countries have more attractive legal economic opportunities so that crime isn’t an attractive alternative.
Basically making crime no longer pay best
That requires cultural changes through a timescale of generations, so it’s not a feasible solution.
Or let those smart people easily move to little-bit-more-ideal countries.
Fun fact: emigration laws in despotic third-world shitholes ruled by autocrats aren't the same emigration laws that privileged westerners enjoy.
> Pay them enough and they might retire to an island somewhere instead.
Why wouldn't they do that and sell the data?
If you send me 200 million I will put that to the test for you.
He wrote "more crime like this", not "more crime like this committed by the same group".
The only reason these persist is because companies pay out and they can receive it in untraceable crypto currency in countries that are nearly to prosecute them in.
Appeasement has never worked.
> The only reason these persist
You make it sound like a simplistic game with set rules. There will be myriads of other reasons to breach companies, and even strictly sticking to the money part, doing ransom/extortion can have secondary and tertiary effects worth enough to do it even if the ransom fails.
If you look at it as a market, the victim is only one actor among many.
Ransomware existed before cryptocurrency, and BTC is extremely traceable - far more traceable than cash, for instance.
The only factor that matters is the adversaries residing in a jurisdiction with a lack of enforcement.
Islands are pretty expensive to live on. If anything, retiring on the island will require more crime.
I think ransom is also a bit of a misnomer that the hackers deliberately use to frame the transaction in a more positive light.
I mean, it's just extortion. Nothing is being ransomed, you don't get something back and you can't really secure something already lost. It suffers from the same problems as other forms of extortion, namely that you can't really trust the other party to do what you want and really they have no incentive to do so.
I don't think data leak extortioners have any incentive to even pretend they won't keep asking further payment.
Why not just offer a monthly subscription "service"?
And the best part? The ransomware startup can now mark the income as MRR extending to infinity, thereby significantly increasing the startup's valuation! If you want to learn more about B2B sales, hit that like button and click on this .exe file to subscribe for more updates.
thanks for the laugh, gave me a good chuckle by ".exe file"
At that point, the company should just pay for an actual security team.
Security is not a binary state. You can pay as much as you want but there’s no assurance that you won’t be hacked.
Great, now even crime groups are following consultancy advice. \s
but the parent post's point still stands - extortion (or ransom) requires something important to be held. If the private data of customers is not actually important, it cannot be used as a threat in the extortion.
We have public agencies like the police that are paid for by the tax-payers for securing property. Are there similar agencies who are incentivized to stop these situations. During the pipeline breaches several years back, I recall aggressive action to disrupt the money-trail.
To the extent these situation are as illegal as property theft, public agencies tasked with law enforcement, like the police, are in the same position to secure your data as they are to secure your property, no?
The only thing that would prevent this from happening would be if the companies make their stuff safe.
You can't police the world.
It’s even more dystopian than that. In Australia itself, Qantas is the only carrier between many cities. So if you decide to not book Qantas, you’re potentially driving across the Outback.
> The Qantas data, which was stolen from a Salesforce database in a major cyber-attack in June, included customers’ email addresses, phone numbers, birth dates and frequent flyer numbers. It did not contain credit card details, financial information or passport details.
Curious, what's the worst a bad actor do with name, email address, phone number and birth date?
Phishing. Super easy now to send a fake email with a great offer, and have your name and loyalty programme number right there in the email. Much easier to trick someone when your email contains a bunch of personal info that you wouldn’t assume others to have.
«Happy birthday! As a loyal Quantas customer, we would like to offer you a sneak peek of our upcoming Black Friday deals. Consider it a little birthday present from us.»
Apply for a credit card.
Don’t you get correspondence or insights into credit card applications in your name?
still need more info. SSN for one.
No SSN in Australia, who are the bulk of Qantas customers.
To apply for a credit card in Australia, you need to supply at least two forms of ID, such as an Australian driver's license, passport, or Medicare card.
Not only that, it seems to me that credit cards in Australia aren't handed out like candy, as they are in the US/Canada.
Do the banks actually check that the documents are legit? I'm sure your favorite LLM can generate pictures of all these documents in the blink of an eye.
Yes. Why do you think they wouldn’t?
Because they usually don't, and they certainly don't in Australia where it's essentially impossible. The government run IDMatch DVS can verify that the biographic information is correct, but can not verify the authenticity of the document.
This kind of fraud is not special in Australia, it happens thousands of times every single day. There is currently no way to prevent it.
The last time I applied for a credit card (about 4 years ago) in Australia, the bank used an app that read the photo page and chip of my passport to verify that it was a real document. That process does verify the authenticity of the document.
There are IDs in Australia which can be verified this way. There are also more than enough accepted IDs that can not, rendering such verification mechanisms rather pointless.
On another note, it's important to keep in mind that this is really the bank's problem. It's not something consumers should worry about.
SSN is available for everyone on databases available over torrents or on the darknet. You should assume your SSN is public knowledge.
And yet later in the article it states:
> global data was stolen between April 2024 and September 2025 and includes personal and contact information of the companies’ customers and employees, including dates of birth, purchase histories and passport numbers.
which contradicts the previous statement
scam call you with further fake extortions like "I'm in jail mom you need to bail me out!" since they have birthdates they can target older people for this. my mom has received at least four of these calls, since I always get the "ARE YOU OK? WAS THAT A SCAM?" phone call afterwards. the first time it happened, they were about to go to the bank to wire money when dad said, "let's try calling his cell!"
we'd like to think these scams are stupid but unfortunately they work
Authenticate to phone banking in the name of a customer and request a personal loan. And in general, open a large line of credit in someone else's name.
This you can do somewhere? My bank asks me 20 questions (many like my first pet name, the last transaction I did etc) and then calls me back on the registered phone number. That data alone should get you nothing really. For credit here , small or large, you have to prove you are you or you get a nice police escort. Most of these apps, even if you are already registered, want you to tap your passport to nfc and scan your face for anything serious.
Pretty easy at stores for example.
Your bank, sure. But what about all the other banks? Just need to target the weakest link.
Surely name, email, phone and date of birth aren't enough to do this at any bank? That's not quite public info but near enough. I've filled that in on hundreds of forms during my life and it's info that any of my friends have.
Not at any bank here and don't think anywhere: AML KYC rules would cut that down at least everywhere I know.
Where can you do all that without a social security number?
There's no concept of social security number in Australia
It's not like those numbers haven't already been leaked elsewhere.
A SSN should never be used as a "password".
I feel like I get about a notification every 2 months now for a service I used maybe once 5 or 10 years ago getting breached/extorted/leaked.
The breach included passport details ;)
>customers’ email addresses, phone numbers, birth dates and frequent flyer numbers
So all things that have likely been leaked 30 times already? Perhaps except the fly miles
Yes, it's a sad situation we're in. We need am indirection step in addresses. So companies don't have our actual address but instead have a handle they can use to interact with that address. And then the actual addresses should be guarded with more responsibility.
Japan Post is rolling out such a system: https://news.ycombinator.com/item?id=44117779
Apple also does it via “hide my email”.
But that's just an identifier which you can easily update when you move, like a domain=>IP mapping? Businesses still have your physical address.
A system where they didn't get our address at all would be great but I think we would also need alternative payment providers that don't share any billing-related address information with the business.
I love this idea, but then doesn’t it create a centralized target for hackers?
I suppose that’s still better cuz then it also creates a centralized point and resources for securing the database.
It’s weird to think that just a few years ago your phone number and address were shared with tens of thousands of people in a massive book.
I feel like if you have someone’s name, it’s not hard at all to find their birthday
And you paid every year to not be listed. The core principle was indeed similar.
I bet the a White Pages publishers are kicking themselves that they never thought of extortion!
More details further in there, but they also leaked passport data.
Pay the ransom, hackers then sell the data privately
Don’t pay the ransom, hackers release a subset to the public for free, then sell the rest privately
Good on Quantas for not negotiating, bad on them for shit security.
> Good on Qantas for not negotiating
they probably didnt feel that there was a threat, as privacy of their customer's data wasn't very high on their priority list - after all, they didnt secure that data very well in the first place leading to the stolen data!
I'd never heard of Quantas. I have heard of Salesforce. Nothing particularly glowing, though.
That just means you arent Australian. Every Australian has heard of Quantas.
Or if you visit Australia, there is a high chance to get to know it. At least, it was impossible for me to avoid it when I planned my visit there.
Qantas*
Kwantas*
Haven’t they sold that to some dubious partners already?
I see a class action coming against Qantas .....
Is this from the Salesforce breach?
Yes
This topic is always a mixed bag for me, on the one hand I don't think you should pay ransom groups as it encourages more, but also their security should be better.
> “No company wants to see, you know, hundreds of thousands, or, millions of records of their customers just on the internet,” Kirk said. “That’s awful. It’s awful for the companies. It’s awful for the people affected.”
This reads to me like : "Well yeah sorry to our customers, but we're not taking a loss for our incompetance"
There's no winners here.