Negotiating with a hacker: how do you do it?
In the Cracked by Jordens series, we look at the cybersecurity of consumers and businesses in the Netherlands. Today: the attack on the TU/e, and how cybersecurity experts often act during such an attack.
Published on January 16, 2025
Everything new is wildly interesting! That's the motto of our DATA+ expert, Elcke Vels. She writes stories about AI and how it affects our society, has a series on cyber security, and interviews Dutch innovation maestros. In her “What if...” column, she also explores intriguing scenarios that deviate from the status quo.
Last weekend, Eindhoven University of Technology was hit by a cyber attack. This attack is not an isolated one. Last year, the police and defense departments, among others, were hacked. How do cybersecurity experts go about during an attack? And negotiating with hackers: how do you go about it? We asked Patrick Jordens. He is the director of Trusted Third Party (TT3P): a Dutch company specializing in cybersecurity.
Patrick Jordens
Patrick Jordens (b. 1969) is an entrepreneur with a heart for digital security. He is the director of Trusted Third Party and the founder of DMCC Group, which helps organizations comply with all external laws and regulations and internal policies in the fields of privacy and consumer law. He is also a guest lecturer in marketing, data privacy, and ethics at the Hogeschool van Rotterdam.
There has been another cyber attack at a major Dutch organization. Were you shocked by it?
“Definitely. The cyber attack on the university clearly shows how far-reaching such an attack can be. The university has had to cancel activities, cancel classes, and postpone exams. It is a terrible situation. A university's system is vast and complex, so its recovery can take long.”
How do cybersecurity experts proceed during an attack?
“When a cyberattack occurs, an Incident Response Team (IRT) is often assembled, consisting of internal IT specialists and external experts. The first step is to assess the situation: which systems are affected and which threats are still active? They do this by monitoring the network and identifying suspicious activity.
The isolation phase follows. Affected systems are disconnected from the network to prevent further damage, and a copy of the systems is made for in-depth analysis. Here, experts investigate whether data was stolen or held hostage and exactly how the attack occurred.
In some cases, the affected party chooses to accept the situation and move on. Other companies decide to pay a ransom to make their systems accessible again or to get their data back. This choice often depends on the severity of the attack.”
How do you do that, negotiate with hackers?
“Negotiating with hackers is a complex and very nerve-wracking business. I go into it regularly during training sessions. My first tip is: take hackers seriously. It's better not to tell lies. For example, don't say you are short of money in your account to transfer an amount when you are not. Often they already have your personal information, such as bank details, in their hands. They often see themselves as serious business people who believe they are solving a problem: “We found a weakness in your system. If you pay, we'll help you get back on track.' Sometimes hackers even have a help desk to help victims open a Bitcoin account so they can transfer bitcoins.
A second tip is: try to buy time. Hackers often do understand that a company cannot transfer a large amount of money right away and are willing to think along. Winning time might get your data back, or your system back up and running.
But no matter how you look at it, negotiating with a hacker remains risky. Ask yourself very carefully whether the stolen data is worth it. After all, you are keeping a pernicious industry alive by paying a ransom. Moreover, more and more often we see hackers pressuring an organization to pay, return the stolen data after receiving the ransom, but then sell that same data to a third party behind your back. This phenomenon is also known as triple extortion.”
Do you have any tips so companies can minimize the impact of a hack?
“There are some things you can do preventively. Hire an expert and think structurally about your cyber security. Further: in the event of a cyber attack, analyzing log files is crucial. That way you can learn more about which files a hacker has accessed, for example. Log files must be activated beforehand, though. So make sure logging is set up correctly on all your systems.
In addition, a solid backup strategy is indispensable. Make regular backups, store them in multiple secure locations, and run tests to verify that you can restore them without problems. This prevents you from having to rely on very expensive recovery specialists after an attack.”
A cybercriminal poses as your partner and steals money: this is social engineering
In the Cracked by Jordens series, we look at the cyber security of consumers and businesses in the Netherlands. Today we cover social engineering.