EXCLUSIVE: Manchester United face £15MILLION fine if they pay hackers holding them to ransom as club call in experts to try and fight off the virus crippling their systems... and a FURTHER £18m charge could arrive if fans' data protection is breached
Manchester United face a huge fine of up to £15million if they give in to the demands of cyber hackers holding the club to ransom.
The ‘double whammy’ threat emerged as United continued to fight off the sophisticated ransomware attack that has crippled the club’s systems for more than a week, as exclusively revealed by Sportsmail.
United are already faced with a ransom demand that is believed to run into millions of pounds – or risk the possibility of highly sensitive information being leaked into the public domain.
However if they pay the hackers to call off the attack, United could fall foul of new US legislation that is punishable by a fine of up to $20m (£15m).
Although United are a UK-based company, the Glazer-owned club are listed on the New York Stock Exchange and therefore subject to US law. Their share price dropped on Friday in the wake of Sportsmail’s revelations.
The US Treasury Department announced last month that any organisations meeting the ransom demands of hackers who appear on their global hit list risk incurring a hefty financial penalty – even if the victims are not aware of the criminals’ identity.
The list includes the Russian cybercrime gang Evil Corp, the North Korean Lazarus Group and SamSam ransomware attacks emanating from Iran.
The US Office of Foreign Assets Control, an arm of the treasury, warned that paying the ransom demand would only boost the criminals’ finances and encourage them to strike again elsewhere.
The OFAC statement read: ‘Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.
‘Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims.
‘For example, ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States.
‘Ransomware payments may also embolden cyber actors to engage in future attacks.’
OFAC and the UK’s National Cyber Security Centre have also warned organisations there is no guarantee criminals will keep their word if the demands are met.
This may include not handing back sensitive information they have encrypted or leaking it on the internet.
The threat of a US fine is another headache for United in addition to the threat of a penalty of up to £18m from the independent UK Government body, Information Commissioner’s Office, if the data protection of their huge fanbase has been breached – although the club are not aware that is has.
It read: ‘We are aware of an incident affecting Manchester United Football Club and have been working with law enforcement partners in response.’
It’s understood the NCSC became involved after United contacted police following the attack nine days ago. The club have since been following a ransom protocol, but it is unclear if they will pay up.
The attack is believed to have come from an email phishing scam although United will not confirm it is ransomware, and are not commenting on the identity of the hackers or their motives.
The club’s computer network is still down and staff are unable to access their company email accounts.
However, United insist the disruption has been minor and not affected matchday operations, with two home games taking place since the attack. They also pointed out that the club’s media channels and ecommerce operations have continued to operate smoothly.