Graff jewellers paid Russian hackers US$7.5 million (S$10.5 million) to stop a leak of private client info, lawsuit says


The British firm paid the ransom to the hacking group Conti after a security breach last year

Luxury British jeweller Graff is reeling from a costly cyber-attack.

According to a lawsuit filed in London, the company paid US$7.5 million (S$10.5 million) in Bitcoin to the Russian ransomware group Conti to prevent it from leaking information about its high-profile clientele.

Now, the high-society jeweller is suing its insurer, Travelers Companies Inc., saying that the million-dollar loss should be covered under its policy. But Graff says that Travelers is refusing to pay. “We are extremely frustrated and disappointed by Travelers’ attempt to avoid settlement of this insured risk,” a Graff spokesperson told Bloomberg. “They have left us with no option but to bring these recovery proceedings at the High Court.”

The drama began last September when Conti accessed and leaked a tranche of data that included purchase records from Oprah Winfrey and David Beckham, as well as Graff customers in Saudi Arabia, the United Arab Emirates and Qatar—all members of their respective nations’ royal families.

Conti made a formal apology to the royals but proceeded to threaten Graff with leaks of purchase data about other clients in the United States, United Kingdom and European Union.

“Our goal is to publish as much of Graff’s information as possible regarding the financial declarations made by the US-UK-EU neo-liberal plutocracy, which engages in obnoxiously expensive purchases when their nations are crumbling under economic duress,” the group said according to reports at the time.

The hackers demanded a US$15 million (S$21 million) payment to a Bitcoin wallet to stop the leaks, and by 3 November Conti had accepted the jeweller’s offer for half that amount.

It is not known when or whether Conti cashed the Bitcoin payment, but the global cryptocurrency market has plummeted in recent months. Graff’s US$7.5 million payment would have been about BTC 118 last November. Now, however, BTC 118 is worth about US$2.3 million (S$3.21 million).

Still, the payment demonstrates how seriously Graff takes data leaks. “The criminals threatened targeted publication of our customers’ private purchases,” the spokesperson said. “We were determined to take all possible steps to protect their interests and so negotiated a payment which successfully neutralised that threat.”

Whether Travelers will accept responsibility for the payment will be determined in court. Neither the insurance company’s representatives nor its lawyers have commented on the case.