RAPAPORT… Graff paid more than $7 million in bitcoin to a Russian ransomware firm to stop the publication of client data, according to a lawsuit the jeweler filed against its insurer.
The UK-based company suffered a cyberattack last year, when Conti encrypted and stole personal information from the luxury brand.
Details of the incident became public after Graff sued Travelers, its insurance provider, in the High Court of Justice in London on June 13. Graff claims it was covered for such a hack, but Travelers has not paid anything, the lawsuit alleged. Travelers did not respond to a request for comment from Rapaport News.
“We were determined to take all possible steps to protect [customers’] interests, and so negotiated a payment which successfully neutralized that threat,” a Graff spokesperson said last week.
“Regrettably, these commercial decisions are all too common these days. Insurers know this, which is why we are extremely frustrated and disappointed by Travelers’ attempt to avoid settlement of this insured risk. They have left us with no option but to bring these recovery proceedings at the High Court.”
Graff found out about the attack on September 23, according to the court document. On September 26, Conti made an initial demand for $5 million and threatened to publish all the data it had obtained unless it received payment. Graff had restored its systems by October 5, it said, and suffered no irretrievable loss of data.
On October 7, Conti named Graff as a victim on its website and, on October 18, published what it claimed to be 1% of the data it had taken. On October 31, the UK Mail on Sunday ran a front-page story about the leak and mentioned some of the jeweler’s high-profile clients.
Graff initially refused to negotiate, but the media splash prompted the hackers to increase its threats, Rapaport News understands.
On or around November 2, Conti removed the data from its website and issued an apology to the Saudi, United Arab Emirates (UAE) and Qatar royal families for having published data relating to them, Graff said. The statement, according to the lawsuit, included a threat to publish further client data, including purchase statements, financial declarations and money orders.
On November 3, Conti demanded $15 million to avoid publication of this data, to which Graff responded with a counteroffer of $7.5 million on the same day. Conti accepted this, the document noted. On November 4, Graff paid Conti $7.5 million in bitcoin to a designated wallet, after which the ransomware group gave Graff access to the data for deletion.
Travelers believed Graff should have given in to the demands earlier in the hopes of paying a smaller amount, according to an anonymous source.
In addition to the ransom payment, Graff incurred costs of just over $1.5 million for professional services, such as legal and public-relations advice, according to the filing. In total, the jeweler is claiming damages of $9 million plus costs and interest.
Image: A Graff store in Zurich, Switzerland. (Shutterstock)