[mcny]

If the data is worth paying a million dollar ransom to unlock, it is worth setting up proper backups. I for one am grateful to people who commit these crimes in which they "lock" data in place rather than sell it to the highest bidder.

Proper data hygiene isn't brain surgery. There is zero excuse for this event. I don't blame the criminals. I blame the university system. Shame!

[brippalcharrid]

    ... "lock" data in place rather than sell it to the highest bidder.

Why not both? And once the rightful owner of the data has paid a fat ransom, surely that's got to provide some kind of proof of its market value. The University did say that

    The attackers obtained some data as proof of their action

so unless they're logging their outbound traffic, who's to say they didn't exfiltrate all of it? It's the kind of thing that the University would remain tight-lipped about unless they were either sure that it hadn't happened (doubtful, seeing as they aren't running a tight ship) or had some kind of mandatory reporting obligation for the data.

[akiselev]

The data is worth that much to the university because they're critical to grant continuity - it'll be hard or impossible for their researchers to keep the money flowing without it. It's pretty much useless in everyone else's hands because those grants also depend on individual reputation and research history.

[strictnein]

Absolute nonsense.

First of all, they are increasingly selling the data. They exfil first, lock second.

Second of all, these wonderful criminals are targeting all manners of institutions, not just large universities.

Proper data hygiene at large enterprise levels is, in fact, exceedingly difficult.

[vinay_ys]

  Proper data hygiene at large enterprise levels is, in fact, exceedingly difficult.

Creating a hermetically sealed IT environment where only way to exfiltrate data that remains is the employees eyeballs is definitely possible and is increasingly done well by a lot of large organizations.

Defending against insider threat (malicious employees) is still a challenge for most civilian (non-military) organizations.

[codezero]

Don’t entirely disagree, but also think it’s fair to say they almost certainly use the stolen data to find weaknesses in their next targets, so it’s not just a one to one thing. This doesn’t at all negate the main statement: good motivation to actually do proper backup and security.

[dogecoinbase]

I know how much IT personnel at UCSF make -- you get what you pay for. If you want expertise, it's not hard to find.

[strictnein]

People who can properly secure a large enterprise are, actually, quite hard to find.

[dogecoinbase]

They're really, really not. You just have to pay an appropriate salary.

[ohyeshedid]

...and allow IT to control the security and access policies, rather than executive level users.

[throwway831471]

Or the faculty senate, as is often the case in higher ed.

[mc32]

Depends, those kinds of outfits tend to poke around and lurk a while before striking. In that time they can exfiltrate and you cannot prove that the baddies didn't exfiltrate data (if you had that sophistication, they wouldn't have been in the mess they got into).