When corporations have their computers hacked, they generally don’t talk about it. It’s awful publicity, and in most cases there is no legal requirement to disclose attacks. So sweeping it all under the carpet generally looks like the best response.
That means we have no idea how much sensitive data is being stolen from companies, or how many websites are paying protection money to avoid DDoS. The issue is somewhere on a spectrum between “significant worry” and “undiagnised catastrophe” — but, short of more mandatory disclosure laws, we can only speculate precisely where.
We can get a few hints, though, from the annual report of a committee overseeing the UK intelligence services. Perhaps through hosting “information exchanges” of companies involved in critical infrastructure, they have gathered some knowledge of the problem.
[One company] concluded that they had lost at least £800 million as a result of *** cyber attacks, and that’s quite a lot of money, even for a major company. But it’s very helpful, because otherwise you are just saying, ‘Well, some information has gone. So what?’
They also note a trend to getting sensitive information indirectly by hacking the “soft targets” represented by lawyers, accountants and other professional service firms.