Threatonomics

The false promise of paying criminals to delete your data

by Emma McGowan , Senior Writer
Published

Salesforce is calling their bluff

On October 6, 2025, hackers demanded ransom from Salesforce for nearly one billion stolen customer records. The company’s response was unequivocal: no payment, no negotiation. While the refusal made headlines, the more important question is why Salesforce—and increasingly, other mature organizations—are walking away from the table when criminals offer to “suppress” stolen data.

The answer is simple: paying for data suppression doesn’t work. It never has.

The false promise of data deletion

When threat actors exfiltrate your data, they typically offer a deal: pay us, and we’ll delete what we stole. No publication on leak sites. No sale to competitors. No regulatory headaches. Just make the problem disappear.

Except it doesn’t disappear. Here’s what you actually get when you pay for data suppression:

Zero guarantee of deletion. You’re trusting criminals to honor an agreement with no verification mechanism and no recourse. Even if they delete their primary copy, you have no way to confirm they haven’t retained backups, sold copies beforehand, or shared the data with affiliates.

A target painted on your back. You’ve just signaled that your organization pays ransom demands. Criminal networks share this intelligence. According to Resilience data from the first half of 2025, ransomware accounted for 76% of incurred cyber insurance losses, with the average claim reaching $1.18 million. Organizations known to pay become priority targets for repeat attacks.

Depleted resources for actual recovery. Every dollar spent on suppression payments is a dollar not spent on forensic investigation, system hardening, or breach response. Insurance limits get consumed by ransom instead of recovery.

Questionable legal protection. Regulatory bodies and plaintiffs in civil litigation increasingly view suppression payments with skepticism. Paying doesn’t absolve you of notification requirements or demonstrate due diligence in protecting customer data.

In multiple recent cases, threat actors have even located copies of victims’ cyber insurance policies and calibrated their ransom demands accordingly. In one case, attackers directly referenced the client’s policy limit, treating insurance coverage as a pricing guide for their extortion.

How Salesforce calls the bluff

The Salesforce incident demonstrates exactly why suppression payments fail. Throughout 2025, a cybergroup calling themselves Scattered LAPSUS$ Hunters (presumably a combination of Scattered Spider, LAPSUS$, and ShinyHunters) conducted two separate campaigns against Salesforce customers. They used social engineering tactics—impersonating IT support staff to trick employees into authorizing malicious OAuth applications and exploiting stolen tokens from the Salesloft Drift integration—to exfiltrate data from 39 major companies including Google, Cisco, Toyota, Home Depot, Marriott, and Disney.

The threat actors launched a data leak site and made Salesforce a unique offer: pay a single lump sum covering all affected customers, or watch as they individually extort each company. They even offered to pay random people $10 in Bitcoin to harass executives, attempting to manufacture pressure through crowdsourced harassment.

Salesforce refused. “I can confirm Salesforce will not engage, negotiate with, or pay any extortion demand,” the company stated publicly.

The result? At the time of this article’s publication, no individual company has been extorted that we know of. However, on October 13 the attackers leaked data that they claim belongs to Albertsons, Engie Resources, Fujifilm, GAP, Qantas, and Vietnam Airlines. While the incident is still unfolding, the targeted companies are currently reviewing the released data to determine how their customers might be affected.

What actually works: Building suppression-proof resilience

Organizations successfully defending against data extortion—without paying—share several critical characteristics:

They encrypt sensitive data by default. If stolen data is already encrypted with keys the attacker doesn’t possess, its value plummets. This isn’t just compliance theater—it’s making your data economically worthless to criminals. Even if exfiltrated, properly encrypted data provides no leverage for extortion.

They implement zero-trust architecture for data access. The Salesforce attacks succeeded through stolen OAuth tokens and social engineering that granted API-level access. Organizations with robust identity verification, least-privilege access controls, and continuous authentication make this attack vector substantially harder.

They maintain intelligence-led visibility into their data. Rather than depending on ransom demands to learn what was stolen, mature organizations use dark web monitoring and threat intelligence platforms to independently track their data. This eliminates the information asymmetry attackers depend on.

They have pre-approved breach response frameworks. When a breach occurs, these organizations don’t waste critical hours debating whether to notify regulators or customers. Legal obligations are mapped, communication strategies are ready, and incident response teams can execute immediately. Speed and transparency often limit damage more effectively than suppression payments ever could.

They educate leadership on the suppression payment illusion. Executives must understand that paying for data deletion offers only false comfort while increasing long-term exposure. The Salesforce case demonstrates that even facing intense pressure from dozens of affected customers and threats involving nearly a billion records, refusing to pay is both viable and principled.

Making the economics of extortion unsustainable

The threats facing organizations haven’t diminished. Ransomware, data exfiltration, DDoS attacks, and psychological pressure tactics will continue evolving. But the question isn’t whether you’ll face an extortion demand—it’s whether you’ll have the infrastructure and resolve to refuse it.

The attackers are counting on fear, urgency, and the illusion that payment makes the problem disappear. Organizations armed with encrypted data, validated backups, tested incident response plans, and educated leadership can call that bluff. They don’t just protect themselves—they make extortion less viable for everyone.

The data suppression payment trap is exactly that: a trap. The only way to win is not to play.

About the Author
Emma McGowan , Senior Writer

Emma McGowan is the Senior Writer for industry-leading cyber risk company Resilience. She has been a full-time writer and editor for over 10 years, focused on technology and women’s health. Tech-fluent and highly motivated, Emma brings holistic experience leading brands in the delivery of high-quality, high-impact, multimedia digital content supported by strategy, planning, and performance analysis.

You might also like

How to prepare your organization for a post-quantum world

Quantum computing is on the horizon, and with it comes a seismic shift in how organizations must think about cybersecurity risk. The ability of future quantum machines to break today’s cryptographic protections, what we call quantum decryption, could undermine the trust, confidentiality, and resilience of digital business. This briefing series distills a highly technical topic […]

When will quantum decryption become practical?

As part of Cybersecurity Awareness Month, we’re publishing this three-part series that distills a highly technical topic into strategic insights for leaders. Part 1 explained why quantum decryption poses a threat to current encryption systems. Part 2 lays out credible timelines for when the disruption may arrive. Part 3 will offer practical guidance on how […]

What business leaders need to know about post-quantum cyber risk

Quantum computing is on the horizon and with it comes a seismic shift in how organizations must think about cybersecurity risk. The ability of future quantum machines to break today’s cryptographic protections–what we call quantum decryption–could undermine the trust, confidentiality, and resilience of digital business.                                                                                          As part of Cybersecurity Awareness Month, throughout October we are […]

A CISO’s guide to winning the annual budgeting battle

It’s that time of year again. Finance has sent the email with the budget template attached. Your CFO wants preliminary numbers by next week. And you’re staring at a spreadsheet wondering how to justify the security investments your organization desperately needs when last quarter’s board meeting included the phrase “do more with less.” Welcome to […]

How brokers and CISOs can lead the charge for Cybersecurity Awareness Month 2025

October is Cybersecurity Awareness Month, and this year’s theme—”Building a Cyber Strong America“—has never been more relevant. For over two decades, this initiative led by CISA and the National Cybersecurity Alliance has spotlighted the importance of taking daily action to reduce online risks. In 2025, the focus shifts to the government entities and small-to-medium businesses […]

What the Collins Aerospace outage reveals about vendor risk

On September 19, 2025, chaos erupted at airports across Europe—but not because of weather, strikes, or mechanical failures. Collins Aerospace’s MUSE platform, the digital backbone handling passenger check-in and baggage processing from Heathrow to Dublin, went dark after a ransomware attack. Within hours, major airports including Brussels, Berlin, and Dublin were forced to revert to […]