That could be it. But there is a certain dissonance about this whole thing, I try to imagine myself in the same situation and the whole thing weirds me out. How could this mysterious hacker have known they had no other backups? Have they talked to LE at all at this point? Why not string the guy along, buy time, immediately alert amazon to lock the account completely?
So many questions. Anyway, they'll be updating this sooner or later, I just can't help but feel a bit weirded out by some of the things in there (and things that should be in there that are not).
This is most likely just my professional paranoia acting up. And of course it is easy enough to be back-seat driver here, I'd hate to be in their shoes, no matter how they got there.
> How could this mysterious hacker have known they had no other backups?
I don't think we can infer that he knew that. It seems more likely to me that he expected the outcome of deleting all their Amazon stuff he could reach would be that they would be down for a day or two as they reconfigured everything and then restored from offsite backups, costing them overtime or comp time for their IT guys, a few disgruntled customers who leave, a few more disgruntled customers they have to placate with freebies, and making them more likely to pay next time an extortionist comes around.
I would not at all be surprised if the extortionist is very surprised that they did not have other backups and his actions have probably killed the company.
He's probably also somewhat worried, as this probably knocks the monetary damages up enough to (1) make it much more likely that this will get some serious law enforcement attention, and (2) if he is ever caught and convicted greatly increase his sentence and/or fine by moving the severity level of the offense way up.
For instance, here are some examples for 18 USC 1030(a)(5), which covers causing damage or loss on a computer via unauthorized access, assuming no other factors that increase the sentence:
Trying to cost someone a few thousand dollars worth of damage and instead killing their $10 million dollar company, for instance, changes it from 6 months tops to 5 years minimum. Ouch.
> I would not at all be surprised if the extortionist is very surprised that they did not have other backups and his actions have probably killed the company.
> He's probably also somewhat worried, as this probably knocks the monetary damages up enough to (1) make it much more likely that this will get some serious law enforcement attention, and (2) if he is ever caught and convicted greatly increase his sentence and/or fine by moving the severity level of the offense way up.
That's plausible. It makes some sense that if you destroy something that you should be responsible for that. At the same time, even for a hacker the assumption that there would be back-ups would be a fairly logical one, though I'd hate to be in a position of fielding that defense.
So many questions. Anyway, they'll be updating this sooner or later, I just can't help but feel a bit weirded out by some of the things in there (and things that should be in there that are not).
This is most likely just my professional paranoia acting up. And of course it is easy enough to be back-seat driver here, I'd hate to be in their shoes, no matter how they got there.