Weak Password Allowed Hackers To Sink a 158-Year-Old Company (bbc.com) 125
An anonymous reader quotes a report from the BBC: One password is believed to have been all it took for a ransomware gang to destroy a 158-year-old company and put 700 people out of work. KNP -- a Northamptonshire transport company -- is just one of tens of thousands of UK businesses that have been hit by such attacks. Big names such as M&S, Co-op and Harrods have all been attacked in recent months. The chief executive of Co-op confirmed last week that all 6.5 million of its members had had their data stolen. In KNP's case, it's thought the hackers managed to gain entry to the computer system by guessing an employee's password, after which they encrypted the company's data and locked its internal systems. KNP director Paul Abbott says he hasn't told the employee that their compromised password most likely led to the destruction of the company. "Would you want to know if it was you?" he asks. "We need organizations to take steps to secure their systems, to secure their businesses," says Richard Horne CEO of the National Cyber Security Centre (NCSC) -- where Panorama has been given exclusive access to the team battling international ransomware gangs. A gang of hackers, known as Akira, broke into the company's system and demanded a payment to restore the data. "The hackers didn't name a price, but a specialist ransomware negotiation firm estimated the sum could be as much as 5 million pounds," reports the BBC. "KNP didn't have that kind of money. In the end all the data was lost, and the company went under."
Backup (Score:5, Insightful)
The digital world is a cat-and-mouse game, and you don't want to be the mouse.
I'm sure a small part of the estimated 5 million pound ransom would have gotten them a decent backup system. Even a "hot spare".
Re: (Score:3)
Or hardware tokens that cannot be replicated in other continents.
Re: (Score:2)
This is the one that shocks me.
Haven't hardware tokens been pretty easy to use for a while?
It should have at least required a weak password and good social engineering, and realistically even a good password falls to good social engineering (which isn't particularly relaxing news).
Re: (Score:2)
I'm guessing their IT support didn't employ anyone with actual IT expertise. Maybe it was led by the company owner's kid.
Re: (Score:3)
I'm guessing their IT support didn't employ anyone with actual IT expertise. Maybe it was led by the company owner's kid.
Ahh yes, the putting all your eggs in one basket case.
Re: (Score:2)
Re: (Score:2)
Re: Backup (Score:2)
Today HW tokens is easier for the user than almost every other alternative.
Re:Backup (Score:5, Informative)
Indeed.
My company used to do IT work for physician practices. We got an urgent call for help from a doctor one day, saying their server had crashed, and they didn't have any backups. Our tech, luckily, was able to fix the problem. The first thing he did was create a backup.
A year later, the same company called again for help. The server had crashed again. When the tech took a look, he found that the last backup was the one he had done the year before.
Some people never learn.
Re: (Score:3)
I'm sure many people on here don't floss/brush their teeth regularly. When they arrive with cavities and mouth ulcer emergencies, I'm sure their dentist too says something like "some people never learn".
Re: (Score:2)
I don't know exactly how big, but it was a physician practice big enough to run their own server. That's all that matters. If you're big enough to run your own server, you'd better take care to run your server well...and do backups. If you're not, you'd better be running your practice in the cloud.
Re: (Score:2)
Re: (Score:2)
Poor phrasing. I don't know if it was the doctor personally, or one of his staff, as I wasn't in the department that handled the emergency.
Re: (Score:2)
I don't know. Was it just a shitty little Windows small office type server (Im 25 years out of that game, I dont know what the state of the art is anymore with windows servers) with a Z drive share, exchange and m
Re: (Score:3)
Some people never learn.
Some people have crap teachers. Why did your tech make a backup rather than provide consulting services on how to setup an automatic backup process? Making a backup never fixes anything.
Re: (Score:2)
You are making assumptions, I didn't detail the entire story because it would have made it too long. The tech did indeed explain to the practice exactly how to make backups.
Re: (Score:2)
Of course I am, we make assumptions based on what is provided. Now your tech explained how to do it, I will make the assumption that your tech is still bad since he (another assumption, maybe it was she) relied on humans to implement something that only successfully works when it is automated or has a strict periodic alerting system in place.
I don't even trust myself to implement backups without a system in place to remind me to do them.
Re: (Score:2)
> Some people never learn.
Hopefully he was a good physician.
Likewise this haulage company was good at getting trucks to the right places at the right times. They weren't good at IT. I'll go ahead and guess they didn't have an HR department either. They probably didn't have a finance team, perhaps just one or two people working on spreadsheets and whatnot.
The question then is... should companies like this one, or your physician's practice exist? Right now, the hackers are saying "no". They're telling us t
Re: (Score:2)
If your company--of whatever type--thinks it doesn't have the IT knowhow to manage a server, they should use cloud services instead. If you buy your own server, you'd better consider it a key investment and make sure it is managed properly. That can be done by outsourcing to contractors. But the point is, a company is responsible for managing the technology it brings in house. If they can't, they shouldn't do it at all.
Let's get physical? Get their attention first! (Score:2)
But we are all the mice now.
However part of the real problem is with bad boys who are smart enough to encrypt the backups, too. Just a matter of patience balanced against estimating the costs of figuring out and recovering from the mess even if some old backups are safe somewhere...
I think the solution has to involve disrupting the criminals' business models. Not involve creating new cryptocurrencies for laundering the loot. Not to mention the fake-money used to crypto-bribe the corrupt politicians to keep
Re: (Score:2)
Re: (Score:2)
I'm sure a small part of the estimated 5 million pound ransom would have gotten them a decent backup system. Even a "hot spare".
The 5 million pound ransom caused the company to cease operating. So yes it may have provided a hot spare, but the cost is the same - loss of the company. It's not a public company but some indications are that their pre-tax yearly profit is in the sub million pound mark, and don't forget logistics companies are still recovering from COVID where many of the small players lost 100s of thousands of dollars.
A backup serves to keep a company running. If the cost of the backup sinks the company it's not a very g
This is why you have offsite backup (Score:2)
Re: (Score:2)
Re: (Score:2)
It's hard to imagine that a proper backup solution implemented correctly wouldn't have made a difference in this case but unfortunately we'll never see enough detail to know what the attackers did and thus
Re: (Score:2)
This is still going to be linked to your main account. If you have access to the main IT guys' credentials, you have access to reset the password for the account for your online backup, and then just go delete those backups. You can't delete a hard drive in a fireproof safe in a secure office. Even if that data is 2,3 weeks, 1,2 months old or whatever, that's still a recoverable loss.
Re: (Score:2)
CrashPlan and OneDrive offer additional security and DR options, for those who want them. Further, these tools don't just back up the latest copy of your files, but every revision of your files since the beginning. Worst case, you have to restore an old version.
It's true, you can't delete a hard drive in a safe. But there are lots of other risks to physical media. If you haven't actually attempted to restore your data, you don't know if you actually *can* restore your data. It might be corrupted, the backup
Re: (Score:2)
For a small company with some on-site stuff, there's tons of options.
First make sure the backup server can access live servers and desktops and not the other way round. That stops an infected server being able to encrypt its own existing backups.
Next, use a file system that does checksums like ZFS. Have a separate isolated machine scrub each drive periodically to ensure that they still work. This just means having someone do it and having a clipboard with a checklist like how cafés have rotas for clean
Re: (Score:2)
If you're root on the system you can disable 2FA or just create a new user with whatever permissions and credentials you like
Re: This is why you have offsite backup (Score:2)
OneDrive isn't a backup. Crashplan is, but it also depends on your retention time whether you are resistant to this. And nothing helps if you got infected 6 months ago, because the 6 months old backup is useless.
Re: (Score:2)
OneDrive is as much a backup as CrashPlan. They are direct competitors, using essentially the same strategy.
Whut? (Score:3)
Was that for legal reasons? Scruples?
Re: (Score:3)
Surely the hackers would rather take what they could get. You pay the money and do better next time, no? I'm sure something is missing from the article.
Re: (Score:2)
Yeah it seems like there must be some details we are not getting.
Now I can imagine, that the intruders did not exfil the data just ciphered it in place. In which case they don't and never had access to the internal financial records. So if you tell them 'but we aint got 5 million pounds' they might say "f*** you you're lying pay us or get f***ed" and which point nothing you can do but say "no really best we can possibly come up with N pounds" and if they gangsters won't take it well that is the end of the
Re: (Score:2)
Be interesting to know where you've picked the 'tatters' tripe up from - you might be sucking down too much algorithmically driven manipulation from the internet in place of actual information. Doing OK and looking good into the near future isn't so bad. https://commonslibrary.parliam... [parliament.uk]
I see the expected downturn is hitting the US.
It's not the employee (Score:5, Insightful)
Blaming the employee for the failure of the company is wrong. The company failed because they didn't have good data management or access controls. If the password was compromised due to being "weak", then the company also didn't have good password controls.
Re: (Score:2, Interesting)
It's stupid records management policy. Company records MUST be write-once ... there should be no way for anyone (including and especially the upper management or admin) to delete/modify previously created RECORDS). e.g. there should be no operational way to "delete" or "modify" existing records. If you want to "correct" an error, just write another record indicating that the previous record is wrong, etc. if you want to delete a record, write another record indicating that the older record is no more.
That's
Re:It's not the employee (Score:5, Insightful)
"Password controls" are one of these stupid IT security myths pushed by the incompetent. All passwords of regular users need to be regarded as weak. If you need more, you _must_ add 2FA. There is no major security control catalog left that does not ask for 2FA for good authentication.
Re:It's not the employee (Score:5, Funny)
Re: (Score:3)
Re: (Score:2)
The weak link were the bean counters. Unless their IT was of the CEO's nephew variety, they repeatedly asked for money for backups but had the requests refused.
Re: (Score:3)
Re: (Score:2)
Were you paid for the building's security? Or were you the person who requested that a screen door be installed instead of a solid one to reduce costs?
If you answered "yes" to either question, then you do share the blame.
Re: (Score:2)
Re: It's not the employee (Score:2)
Re: (Score:2)
The employee specifically tasked with security, or with providing departments with funding they need, are paid to stop the pests.
That the pest is guilty doesn't need to be said. But if you were supposed to keep the pests at bay and failed to do so, you're guilty as well.
Re: (Score:2)
You are pro child fucker? You know it is illegal to fuck children and cover it up? PLEASE KEEP ALL CHILDREN AWAY FROM argStyopa THE CHILD FUCKER!!!
Re: It's not the employee (Score:2)
What if you weren't even aware of the possibility or locking your door, or even closing it, to help stop intruders ?
That strikes me as a better analogy.
You can't prevent all risks, but you can make it a little bit harder for attackers by taking some precautions. Leaving your entire company vulnerable to a single compromised password implies that those precautions weren't taken.
This strikes me more as incompetence than anything else, which is not surprising from a small company, that just wouldn't have prope
Re: (Score:2)
Wrong. (Score:5, Insightful)
Their company did not fail because of a ransomware hack.
Their company failed from not having adequate off-site backup of their data.
The cloud does absolutely nothing to protect you from needing a real disaster recovery plan, and any business that doesn't have one deserves what they plan for (or don't plan for).
Also: a backup that isn't tested is not a backup to bet your business on. Back up your shit, test your backups, and make sure there is a copy of your tested backup somewhere that a ransomware dipshit can't get to it, like LTO tapes in a closet in your office.
Re: (Score:3)
Re: (Score:2)
You can't erase tapes that aren't in the library without physical access and a big fucking magnet. Don't put your good backup into a system that is infected. Wipe that shit, unplug the network, and restore from tape. Build back up one system at a time, never connecting "clean" with "unclean" - airgap everything you are restoring from everything you haven't.
Yes, it's painful. But it's less painful than "whelp I guess we're done. Have fun looking for new employment because our entire company is fucked."
Re: (Score:2)
Without reading TFA how is cloud not off-site backup?
I would think dumping to some kinda S3 write only is more reliable than anything even a medium size company could do.
The last company I worked for we did backblaze for an S3, it couldn't be deleted or updated (versions new files). I fail to see how a company that wasn't quite large could do better on their own. Of course the big risk there is the primary backblaze account getting hacked and the whole thing killed.
Where I worked though they used RAID (mirr
Re: (Score:2)
LTO drives are cheap and plentiful. A small company can easily spend several hundred dollars as an insurance policy against being completely fucked. Back up your shit to two different tapes - one stays in the drive, the other goes home with someone, or gets put in a deposit box or safe, etc.
None of this is new - many small businesses that aren't being really risky with their important data have been using DAT drives to back things up since the 90s, and a single LTO tape will hold hundreds of gigs of data
Re: (Score:2)
If I had a choice for my last line of defense on data preservation between laymen shuffling tapes and using a cloud provider like Amazon or Back Blaze's S3 storage I am going with the cloud.
I feel like it's less likely to silently fail, and the exposure for a known failure (to change to other S3) is pretty short.
Localish tapes have the advantage of quicker cataclysmic recovery though.
Re: (Score:2)
like LTO tapes in a closet in your office.
Better yet are LTO tapes off your office.
Hacks are not the only disaster that can happen to a digital business, old fashioned physical disasters (i.e. fires, floods) will destroy your local data and your local backups as well.
No. (Score:5, Insightful)
No; a weak password did not kill this company.
Management not investing in the most basic of backup systems is what killed the company.
Companies get their systems wiped out everyday nowadays by ransomeware hackers. Then, they pull the plug on the internet, scrub the computers, and restore from a recent backup. That is management.
This is stupidity.
Re: (Score:3)
This is stupidity.
I would call it gross negligence instead, because you have to be entirely disconnected from the real world to not be aware of this threat.
So, no write-protected backups, no BCM and DR preparations, no strong authentication, and hence no ransomware preparedness. This is 100% on the decision makers that screwed up to an unbelievable degree.
Re: (Score:2)
Re: (Score:2)
It is. Which is why at least in Europe, legal responsibility remains fully with the company and not the service provider. Which means the decision makers were still grossly negligent and should probably go to prison for what they did.
Re: (Score:2)
Then, they pull the plug on the internet, scrub the computers, and restore from a recent backup. That is management.
This is stupidity.
Have any of the ransomware attacks taken the step of trashing/encrypting the backups and then waiting for some period to attack the live systems, so that restoring from a recent backup isn't an option? Most backup systems expire older backups on some schedule to avoid an unending increase in the size of their backup storage pool. So, an attacker could either destroy the backup system directly, or they could let the backup system destroy itself if they encrypted everything, but had the systems set-up to tr
Re: (Score:2)
Yeah, I totally agree, and I get an urge to puke at this lame excuse worthy of an award.
Sorry I don't buy this excuse.. (Score:2)
In KNP's case, it's thought the hackers managed to gain entry to the computer system by guessing an employee's password, after which they encrypted the company's data and locked its internal systems. KNP director Paul Abbott says he hasn't told the employee that their compromised password most likely led to the destruction of the company.
This would have to be the system administrator's password and even then I would say is was poor management if they had access to all.
This is a constant fight that I have with clients. Everything needs to be easy. Security is not a consideration. Then something happens and they look for answers that don't interfere with operations. Everyone else is to blame.
If the data is that important then it should have been secured behind more than one employees password.
Re: (Score:2)
This would have to be the system administrator's password
No. "Lateral movement" is a thing. In fact, it is an entirely standard thing in such an attack.
How many more stories? (Score:5, Insightful)
It was unthinkable to run a company without reliable backups 25+ years ago. Today I'd call it criminal negligent. How many more stories does the CIO need before s/he make this a priority?
Just incredible how this keeps happening.
Re: (Score:3)
> stories does the CIO need before s/he make this a priority?
I think you're over-estimating this company. They didn't have a C-suite - just a handful of people working out of a building on the side of a yard where they kept the trucks. Think more like 2-3 people answer the phone, printing things on triplicate paper and running them out to drivers to give them their jobs for the day.
There was no CIO, not even a CEO really, no HR department, no legal team, and most likely no full time sysadmin either. More
Re: (Score:2)
They obviously had IT in some capacity; whoever they had set it up did them dirty if they didn't emphasize the importance of backups.
I know; I've been "that guy" who helped out a small company get on their IT feet, as it were. I always stressed the importance of backup routines, of how to take care of their data. I gave them scenarios where, if I get called for X, I won't be able to help them if they weren't on top of their backup routine. I always asked them what that'd mean to them and their business. I
IT department did this (Score:3)
Unless the IT dept tried to implement security and proper backups and were denied, this is the IT departments fault. Some random employee with a weak password can't cause the loss of a properly implemented network.
Re: (Score:2)
And in the real world, the responsible C-levels fired anybody that was pushing for real security and replaces them with weak yes-men.
In most cases, something like this is actually the fault of the ones that hired the IT people.
Re: IT department did this (Score:2)
Or more likely IT asked for IDS, DR, security audits etc etc and that budget got nixed as costing too much
Backups often won't help (Score:5, Interesting)
This is if you actually have encrypted, off site and immutable backups that are worth poisoning. When was the last time you checked in your company how easy it is to infect backups?
This is why some EDR solutions have anti-ransomeware mechanisms to secure contents before or as it's being encrypted.
This is also why you might have a managed SIEM service so when dodgy stuff happens on your network it can be caught early or reacted to before everything is crypto locked.
Also there you might look at replication solutions that will help you recover by restoring only parts of the data you know is safe based on signing or last update values.
The answer is not EDR or XDR or SIEM, replication, immutable backups etc etc althought that's tempting.
The answer is proportional training and defence in depth with an incident response plan to match for when shit happens you can take appropriate action.
As a security professional it is your job to consider the realistic risk to the company, the cost of the impact should an incident occur and how to mitigate, avoid, prevent or accept that risk. Ideally at a much lower cost.
When a CEO wants to know why money should be spent, AKA what is the return on security investment this story and it's impact should not be quoted. Instead it's better to understand the relevant risk and impact to the specific business of that CEO's company.
How much could a ransomeware attack cost your business? What are the odds you'll be attacked in the next 10 years? What is the cost of mitigation per year? Should you outsource? Should you get cyber insurance? Do you need a crack team of ITsec incident response professionals?
Hire a consultant today. One annual thorough annual review might save you and your employees a lot.
Re: (Score:2)
Backup poisoning? AFAIK, that is a myth. Got any references for that?
What a ransomware gang does if they can reach the backups is simply delete them.
Re:Backups often won't help (Score:5, Interesting)
A ransomeware group worth spit would have poisoned your backups so when you're having your genius moment to restore from snapshot or tape backup from last month guess what? It has ransomeware as well!
My recent backups might be infected, but my "day of compromise minus one" backups won't.
Even if my recent backups are infected, they are likely to not be ransomware-encrypted, which means they are still useful to me.
Re: (Score:2)
my "day of compromise minus one" backups won't.
What day is that? A ransomware group worth spit doesn't "pull the plug" the day after they compromise a system. They might wait weeks or even months before scrambling your systems after the infection is in place.
Re: Backups often won't help (Score:2)
The you still lost all your current data. All your current customers are going to pick a new logistics company. They're not going to wait around while you fix your shit.
If you can recover, how are you going to get these customers back? You're no longer trusted. They've already spent the cost to move to your competitors.
They probably figured it would be better to shut down the company now, than wait for it to lose all its money and go into liquidation. Why would the owners risk losing everything? Limited lia
Re: (Score:3)
You shouldn't be doing whole-disk backups, you should be doing data backups and the restore procedure should reinstall the OS from separate media or backups.
Then there is no such thing as a "poisoned" backup that "has ransomware."
Re: (Score:2)
Oh good gosh doesn't every admin know this already? Story time, kids. Once upon a time I was the person responsible for everything IT at a 20MM+ company. Was there for 8 years, the worst things that ever happened other than hardware failures was a few times an individual's workstation got compromised. It never spread beyond that device. Monkeyfucker CEO decides he can save money by firing me and hiring a friend-of-a-friend. Welp, about a year later they got hit with ransomware. Backups were unusabl
Re: (Score:2)
The answer is all of these things, and in the worst case you can restore your data from the backups but not the software. You did create documentation of the install process so that you can repeat it without having to do a bunch of figuring things out again, right?
Right?
Failure to prepare is preparing to fail. (Score:2)
Complacency and an odd loathing of "modern" technology (computers are no longer "modern" in 2025 while everyone has had decades to get familiar) among many who should know better will continue to end in tears.
I use stories like this one to remind my friends to back up their data and in at least three places (the Rule of Threes is easy for non-techies to remember).
If your business burns to the fucking ground your backup(s) should permit rapid reload from bare metal. Many Slashdotters back up our personal dat
Incompetence kills (Score:2)
And if "one bad password" is enough to kill a company, then the C-levels there screwed up massively. Probably criminally negligent at that scale.
Looking for an exit. (Score:3)
"We're under a ransomware attack? No... don't get an actual demand. Blame the owner of the weak credentials? No, no need to make them feel bad. Let's just close up shop and call it a day."
This just screams opportunity. My guess is that the owners are not particularly unhappy here. If the company was a healthy going concern, I'll eat my hat.
Re: (Score:2)
(My local backup: I have no mod points, but that crossed my mind, too.)
No emergency plan (Score:2)
just one of tens of thousands of UK businesses that have been hit by such attacks
We don't see tens of thousands of UK businesses closing their doors after being hit by such attacks. If a company can be brought down by a ransomware attack, it's ripe for being brought down. There's not reason for a business to be *that* fragile. If they are, they aren't planning for emergency situations.
Re: (Score:2)
You are just silly.
They have a bunch of trucks, and drivers to drive them and workers to load them.
Everything else is "on the computers".
Every day a bunch of trucks enters their yard and unloads its cargo.
Without the information on the computers: they do not know wehre to sent it ... and so on.
It is not a pizza shop, where the owner can ride a bicycle to "another shop" and buy 100 eggs and 50 pounds of flour and carry it back himself to his shop.
Re: (Score:2)
What's your point?
All those other thousands of businesses that were attacked, also rely on computers to manage their logistics. If they didn't, there would be nothing for the hackers to attack.
Re: (Score:2)
It is a difference if you "rely" on something, or if you can not do it without it.
It might be just semantics for you, but the corporation in this case could not continue their business, so they shut it down.
They probably did not even know how much they rely(ed) on their computers.
Re: (Score:2)
So your contention is that this company was unique in their unpreparedness and ignorance? I doubt it.
More like hackers fail (Score:2)
They wanted to extort money in a ransomware attack. Instead they got nothing.
The company owners probably made the decision to quit while they're ahead, instead of risk losing more money.
The cost of time to recovery from total failure? (Score:2)
I've read so many people saying "should have had backups", but nobody has considered the time to rebuild from catastrophic failure. Every system and server is down, full restore and recovery to a time before infection (and validation of that).
The company was a transport company with 500 trucks on the road. That's a lot of logistics in play that need to have continuity, each one with cost of probably tens of thousands a day, or more, with heavy non-complete penalties for failure.
Full catastrophic failure c
The managers are full of it (Score:3, Informative)
Re: The managers are full of it (Score:2)
Fixing their systems would take how long?
Their customers would have immediately started looking elsewhere, and invoking contract clauses so they don't have to pay.
Now the company has no revenue or customers. And no one trusts them anymore. Explain how to recover from that. Better to cut losses than slowly bleed out.
Weak Security Policies Sink a 158-Year-Old Company (Score:2)
Takes actual, competent IT personnel. (Score:2)
I've worked with a lot of small businesses. Two stories.
I was at a new customer site, installing software on their server and setting things up. They had a sweet setup with an automatic tape backup. Thing is, they were supposed to swap out the tape (and take it offsite), but no one had done so in ages. The current tape - broken. So there had been no backup in over a year.
In another case, they had an IT savvy employee who handled everything for them as an extra duty. When he left, no one picked up the task
Okay, but I have an important question. (Score:2)
Was their URL clownpenis.fart?
keep vital systems offline ! (Score:2)
that's not "all it took" (Score:2)
"one cracked password" was NOT "all it took". That was just one link in a long chain. Bad/nonexistent backups, inadequate/nonexistent logging, obsolete hardware/inadequate patches and updates, lack of compartmentalized access, etc etc.
This sounds like what happens when the owner's nephew is managing the network. And now they're trying to play the blame-game for one password having "ruined everything". But for them it doesn't really matter anymore. They have no lessons to learn, it doesn't matter who or
Nope, not weak password (Score:2)
Sheer negligence. That's what drove this company into bankrupcy.
Incompetence doesn't even begin to cover it, because that would mean they tried *something* to have backups of the heart of their business.
If your business can't run without it, perhaps you should have contingency plans on how to protect it?
Especially these days. These attacks aren't uncommon. If you don't have backup plans you are simply hoping they don't find you, which is stupid.
Re: (Score:3)
Well, there is "following" guidelines and there is "following" them. And they may not even have done the fake version, but just told the press they did.
As to "cyber insurance", the insurance gives you what you have a contract for if you followed the conditions in that contract. "Cyber insurance" is an entirely unspecific term and can mean basically anything.
Bottom line is, they got hit, they were unprepared and they got wiped out. I see some very high likelihood of at least gross negligence in the C-levels.
Re: (Score:2)
So you mean for the C-levels of this company for this punishment, right? Because you aren't going to get to the hackers, who are just as likely in China, Korea or Russia.
Re: (Score:2)