High-end British Jeweler Goes to Court Against Insurer After Paying $7.5 Million in Bitcoin for a Ransomware Event
Graff, home to “the most fabulous diamonds and jewels in the world,” as its website so aptly describes, faced a not-so-glamorous hack in September 2021, resulting in a bitcoin ransom of $7.5 million.
Conti, a Russian hacking gang, threatened to leak Graff data, including sensitive information on the company’s biggest clients, which include the likes of David Beckham, Oprah, Tom Hanks, Samuel L. Jackson, Alec Baldwin, Sir Philip, the Trump family and other A-list celebrities.
Middle Eastern royalty, too, make up the jeweler’s clientele.
The initial demand was $15 million in bitcoin, but negotiators within the jeweler’s network were able to cut the ransom in half.
“Our goal is to publish as much of Graff’s information as possible regarding the financial declarations made by the U.S.-UK-EU neo-liberal plutocracy, which engages in obnoxiously expensive purchases when their nations are crumbling under economic duress,” the hacking group reportedly said. (Though later, the hackers issued an apology letter to Graff’s clients in the Middle East.)
Its insurer, The Travelers Companies, refused to pay.
It argued that its policy did not cover cryptocurrency ransom payments, and therefore, it had no duty to indemnify the billion-dollar jeweler company for the money it provided to the hackers.
As a response, Graff filed suit against the insurer, stating that Travelers’ policy should cover the ransom it paid to Conti.
In a public statement, a Graff spokesperson said, “We are extremely frustrated and disappointed by Travelers’ attempt to avoid settlement of this insured risk.”
Travelers has not made a public statement at this time.
Scorecard: This suit is in its infancy, but as it stands, the two parties will likely make it to court to hash out the details of whether or not the policy language states Travelers is on the hook.
Takeaway: Hackers are increasing ransom sizes, and businesses are paying them in order to keep data secret and safe. But insurers on the other end are in a tough position to figure out the right balance to pay, deny or indemnify. It never hurts to have a plan well in advance of a hack. &