Lawyers should stop telling clients to pay ransoms to hackers, UK watchdogs say

Lawyers should not advise their clients to pay out ransoms to hackers, the UK’s data protection watchdog and cybersecurity agency have warned.

In a joint letter to the Law Society, the Information Commissioner’s Office (ICO) and National Cyber Security Centre (NCSC) called on lawyers to discourage their clients from paying ransomware requests, as they argued any payments only incentivise further hacks.

The two bodies said they sought to make clear that law enforcement agencies do not condone paying out ransoms to hackers, as they said that while it is not usually unlawful to pay out a ransom, the act of doing so encourages more attacks.

The letter also says firms should be wary of any sanctions they might breach by paying out a ransom, as the bodies said any requests from Russian hackers should be scrutinized to ensure sanctions will not be breached.

The warning comes after hackers stole legal documents from British law firm Ward Hadaway and threatened to leak them onto the darknet, in a bid to blackmail the firm out of $6m (£4.75m), a court heard.

In its letter, the ICO also said that the act of having paid a ransom to a hacker will not see the firm that has paid out face reduced penalties, due to breaches of the information watchdog’s own data protection rules.