Why People Are Paying Hackers for Deleted Data
Share
Paying hackers to delete stolen or exfiltrated data sounds counterintuitive — and risky — yet it’s become a recurring reality for companies, hospitals, and even governments. These payments range from negotiated “data deletion” fees to traditional ransom payments for restoration. Understanding why victims sometimes pay, the real risks involved, and what alternatives exist is essential for security and compliance teams, execs, and anyone who cares about digital safety.
This article explains the mechanics, offers real-life examples, examines why paying is controversial and often ineffective, and gives an expert-backed checklist organizations can use instead.
Quick answer: Why do victims pay?
Organizations often pay because they face one or more of these pressures at once: imminent reputational damage, risk to customers’ safety (especially in healthcare), interrupted operations, legal obligations, and the perception that paying is the fastest way to stop a leak or recover systems. But paying is not a guaranteed fix — evidence shows it often funds criminals and sometimes fails to produce the promised deletion. krebsonsecurity.com+1
How this scam/market works — a short primer
- Data exfiltration: Attackers steal files (customer records, intellectual property, logs).
- Extortion/Leak threat: Attackers publish a sample, threaten release, or put the data up for auction.
- Demand & negotiation: The threat actor sets a price — often negotiable — to delete data, not publish it, or to provide decryption keys.
- Payment & proof: After payment, attackers may provide “proof of deletion” (screenshots, videos) but proof can be faked and deletion cannot be independently verified. krebsonsecurity.com+1
Real-life examples (what actually happened)
- AT&T (call record theft) — AT&T reportedly paid a hacker group roughly $370,000 in bitcoin after call-record metadata was stolen; the attacker supplied a video claiming data deletion, but uncertainty remained about whether copies had spread. This case shows both why companies pay (to limit exposure) and why such payments don’t ensure safety. WIRED
- SimonMed (medical records extortion) — In a 2025 incident, attackers demanded $1M to delete stolen medical files or billed daily fees to delay publication; later removals from leak sites raised questions about whether a payment occurred. Healthcare targets pay out of concern for patient privacy and regulatory fallout. Fox News
- Large healthcare and insurer incidents — Allegations and forum posts have claimed multi-million dollar payments in high-profile healthcare and insurance breaches (e.g., claims about payments following compromises). Public confirmation is often limited; nonetheless, the market pressure remains. Reuters+1
These cases illustrate both the motivation to pay and the ambiguous outcomes that often follow.
Why paying is a precarious choice — expert findings
| Argument for Paying | What the evidence says |
|---|---|
| Faster mitigation | May reduce immediate publication risk but is not guaranteed; attackers can publish despite payments. krebsonsecurity.com |
| Operational continuity | Paying can occasionally restore access (ransomware decryption), but many victims do not fully recover even after payment. Forbes |
| Protect customers | Short-term privacy risk may drop, but copies and backups may already have circulated. krebsonsecurity.com |
| Legal/PR pressure | Paying can reduce immediate headlines, but regulators and insurers may frown on payments and it funds criminals. Axios+1 |
Bottom line: payment is a gamble with moral, legal, and practical downsides. Studies and incident reports repeatedly show payments often fail to produce lasting protection and sustain the criminal business model. krebsonsecurity.com+1
Why some organizations still decide to pay
- Perceived cost-benefit: Leaders sometimes conclude the cost of paying is lower than the expected cost of public disclosure, regulatory fines, remediation, and lost business.
- Pressure: Boards, PR teams, or regulators may press for the fastest visible remediation.
- Lack of preparedness: Organizations without tested incident response plans see payment as the only immediate option.
- Negotiation success stories: Reports show some victims negotiate reduced amounts — and sometimes get what they want — which reinforces the behavior. Axios
The lie of “proof of deletion” and why trust is fragile
Threat actors often provide digital “proof” (screenshots, videos, hashes) that claim deletion. These can be fabricated, staged, or only show deletion in one place while other copies exist. Even if a specific storage account is cleared, the data may already be mirrored, sold, or archived elsewhere. Forensic confirmation is difficult and rarely absolute. krebsonsecurity.com+1
Legal, regulatory, and ethical risks of paying
- Funding criminal activity: Payments finance future attacks and can be illegal if they violate sanctions or anti-money-laundering laws.
- Regulatory scrutiny: Governments are increasingly discouraging or restricting ransom payments (e.g., UK policy moves), and mandatory reporting regimes can complicate payment. The Guardian
- Insurance implications: Insurers may impose conditions, require notification, or refuse coverage if policies are violated.
- Civil liability: Paying without informing affected individuals or regulators could expose an organization to lawsuits. The HIPAA Journal
Alternatives and the right response: a practical incident-response checklist
- Activate your IR plan immediately — Playbooks and tabletop exercises save time and bad decisions.
- Isolate and contain — Stop ongoing exfiltration and preserve forensic evidence.
- Engage legal counsel and regulators — Know your reporting obligations (data-protection authorities, sector regulators).
- Contact law enforcement — Report the breach to national/international cybercrime units.
- Bring in specialized CSIRTs / DFIR teams — Use trusted forensic providers to assess scope and validate attacker claims.
- Communicate transparently — Prepare public and stakeholder messaging to reduce reputational damage.
- Consider negotiation only with oversight — If negotiating, involve counsel, threat intelligence partners, and ensure compliance with sanctions laws.
- Strengthen defenses post-incident — Patch, rotate credentials, enable MFA everywhere, and improve backups.
- Plan for long-term remediation — Notify affected parties, offer identity protection where appropriate, and document decisions for regulators.
This path emphasizes resilience and oversight over ad-hoc payments.
Table: When paying might be considered — and when it definitely shouldn’t
| Situation | Consider Paying? | Why / Risks |
|---|---|---|
| Operational downtime threatens patient safety (healthcare) | Possibly, but only as last resort with regulator/law-enforcement input | Immediacy vs legality; must involve authorities. Fox News |
| Limited exposure, data already public | No | Payment unlikely to remove all copies. krebsonsecurity.com |
| Large-scale data exfiltration with regulatory obligations | No (seek counsel) | Paying could worsen legal standing and attract fines. The HIPAA Journal |
| Encrypted systems, no exfiltration (classic ransomware) | Case-by-case — better mitigations exist | Backups + forensics often superior to paying. Forbes |
FAQs (search-optimized; answer succinctly)
Q1 — Does paying guarantee deletion?
No. Proof can be faked and copies may already exist. Payments are a high-risk gamble. krebsonsecurity.com
Q2 — Are companies legally allowed to pay hackers?
Sometimes, but not always. Governments are moving to restrict payments to deter crime and ensure compliance with sanctions. Always consult legal counsel and law enforcement before paying. The Guardian
Q3 — What should I do if my organization’s data is stolen?
Activate your incident response, engage forensic experts, notify regulators as required, and avoid unilateral decisions to pay without counsel and law enforcement input. (See checklist above.)
Q4 — Do cyber insurers cover ransom or deletion payments?
Coverage varies by policy. Many insurers require notification and may impose conditions. Review your policy and notify your insurer immediately. Axios
Q5 — Will paying stop future attacks?
No — paying funds attackers and may encourage repeat targeting. The structural solution is stronger security, backups, and deterrence through law enforcement and policy. securelist.com
key takeaways
- Incident reports repeatedly show payments don’t guarantee safety — organizations must prepare, not improvise. krebsonsecurity.com+1
- Forensics, legal review, and coordinated incident response materially reduce harm compared with ad hoc payments. CISA+1
- Governments and major security vendors advise against routine ransom payments; public policy is trending toward limiting payments. The Guardian+1
- Transparency with stakeholders and documented decisions are critical. Paying secretly can worsen trust and legal exposure. The HIPAA Journal
Conclusion
Paying hackers to “delete” stolen data is a dangerous, imperfect response to a much larger problem: weak preparedness. While payment can look like a quick fix under pressure, evidence shows it often fails to deliver and rewards criminal ecosystems. The better strategy is layered defenses, well-rehearsed incident response, legal and law-enforcement involvement, and policies that reduce the appeal of paying criminals.
If you’re responsible for security at an organization: build the IR playbook, test it, back up systems securely, and make payment a last, legally-reviewed resort — not a reflex.
