Whatever you think of Coinbase, this is a pretty good response IMO:
> and will not pay the $20 million ransom demand we received. Instead we are establishing a $20 million reward fund for information leading to the arrest and conviction of the criminals responsible
No it isn’t! The headline they used is “Protecting Our Customers - Standing Up to Extortionists.” My issue with it is that they word their announcement in a way that leads people to congratulate them instead of saying we’re sorry for leaking your private information. I’m so angry at them over this.
Additionally the email they sent me had the subject “important notice” and that my personal account was affected as the third sentence in a rather wordy paragraph. None of this is ok and this is not a company taking this seriously.
That's the same move from the Ransom movie from 1996 https://youtu.be/haThIxPnYro?si=Jxu0elA-ylB5Z15q
I love it. This also would have been a great opportunity to break out of corporate speak for a moment for a good “Up yours hacker assholes!” Even us folks in the Bible Belt appreciate a well timed swear word here and there.
I’d say the better thing for customers would be to pay the ransom demand and get the PII back. If they want to fund a reward scheme too, well great, but if it were my data, I’d care more about Coinbase limiting the breach of the data, not playing around with retaliatory rewards.
There is no guarantee that an anonymous criminal is going to hold up their end of the agreement. Coinbase has no idea who they're negotiating with or where that data has been shared.
That, and they're reimbursing customers who were tricked.
In addition, paying the ransom would be an open invitation for everybody else to try the same attack, with the net result that all customers are less secure in the long run.