EXCLUSIVE: Manchester United face £15MILLION fine if they pay hackers holding them to ransom as club call in experts to try and fight off the virus crippling their systems… and a FURTHER £18m charge could arrive if fans’ data protection is breached
- Man United are being held to RANSOM for millions of pounds by cyberhackers
- The cyber attack is genuine and poses a real risk to United’s personal data
- United face losing £15million if they pay off the criminals involved
- US Treasury Department say a fine will be issued to the Premier League club
- United are listed on the New York Stock Exchange and subject to US law
- Club could face further £18m charge from the Information Commissioner’s Office if any of their fans’ data protection has been breached
Manchester United face a huge fine of up to £15million if they give in to the demands of cyber hackers holding the club to ransom.
The ‘double whammy’ threat emerged as United continued to fight off the sophisticated ransomware attack that has crippled the club’s systems for more than a week, as exclusively revealed by Sportsmail.
United are already faced with a ransom demand that is believed to run into millions of pounds – or risk the possibility of highly sensitive information being leaked into the public domain.
Manchester United will face a £15million fine if they give into a ransom issued by criminals
However if they pay the hackers to call off the attack, United could fall foul of new US legislation that is punishable by a fine of up to $20m (£15m).
Although United are a UK-based company, the Glazer-owned club are listed on the New York Stock Exchange and therefore subject to US law. Their share price dropped on Friday in the wake of Sportsmail’s revelations.
The US Treasury Department announced last month that any organisations meeting the ransom demands of hackers who appear on their global hit list risk incurring a hefty financial penalty – even if the victims are not aware of the criminals’ identity.
The list includes the Russian cybercrime gang Evil Corp, the North Korean Lazarus Group and SamSam ransomware attacks emanating from Iran.
The hackers are demanding cash to release their grip on United, led by chief executive Ed Woodward (left)
The US Office of Foreign Assets Control, an arm of the treasury, warned that paying the ransom demand would only boost the criminals’ finances and encourage them to strike again elsewhere.
The OFAC statement read: ‘Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.
‘Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims.
‘For example, ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States.
‘Ransomware payments may also embolden cyber actors to engage in future attacks.’
United – owned by Avram (left) and Joel Glazer (right), are listed on the New York stock-exchange are therefore are subject to US law
OFAC and the UK’s National Cyber Security Centre have also warned organisations there is no guarantee criminals will keep their word if the demands are met.
This may include not handing back sensitive information they have encrypted or leaking it on the internet.
The threat of a US fine is another headache for United in addition to the threat of a penalty of up to £18m from the independent UK Government body, Information Commissioner’s Office, if the data protection of their huge fanbase has been breached – although the club are not aware that is has.
A spokesperson for the ICO said on Friday: ‘MUFC have made us aware of an incident and we are continuing to make enquiries.’
The timescale of those enquiries varies, with a range of actions available to the ICO. Last month they fined British Airways £20m and Marriott International £18.4m for failing to protect their customers’ personal information.
The National Cyber Security Centre also issued a statement as the Old Trafford crisis continued.
It read: ‘We are aware of an incident affecting Manchester United Football Club and have been working with law enforcement partners in response.’
It’s understood the NCSC became involved after United contacted police following the attack nine days ago. The club have since been following a ransom protocol, but it is unclear if they will pay up.
The attack is believed to have come from an email phishing scam although United will not confirm it is ransomware, and are not commenting on the identity of the hackers or their motives.
The club’s computer network is still down and staff are unable to access their company email accounts.
However, United insist the disruption has been minor and not affected matchday operations, with two home games taking place since the attack. They also pointed out that the club’s media channels and ecommerce operations have continued to operate smoothly.
Despite the drop in share price, it’s understood United will not be making a statement on the US Stock Exchange to reassure investors.