And here we go. Yes, we are well aware of how ransomware works but flat out saying they ignored it like it would just go away is just pure speculation spew (again). Many companies do not pay the ransomware while other do pay it. Those companies have their reasons for doing either of those. In cases like Sangoma, a large corp, there could be a legal team saying “Don’t pay”.
Ya sure about that? Because spending 15 minutes reviewing that law show this:
An entity must take all reasonable steps to complete the assessment within 30 calendar days after the day the entity became aware of the grounds (or information) that caused it to suspect an eligible data breach (s 26WH(2)).
Timing of notification
Entities must notify individuals as soon as practicable after completing the statement prepared for notifying the Commissioner (s 26WL(3)).
Oh and apparently there are three ways to do notifications.
- All Users - Blanket statement.
- Impacted Users - If you know exactly who was impacted, just notify them not all users.
- Don’t have current contact information? You just need to public post on your website the details of the breach.
So yeah, in Australia they would have 30 days to put the report together for the regulators after they found the breach. THEN they would do notifications.