if Rex Mundi finds his next target what will happen ?
first he will look for the most vulnerable and download the data
than he will send you an email asking you for payment (as we hear it is now between 30K and 50K depending the data)
he will give a data or period in which you can respond
than he will send another mail threatening to publish some data at some date
he will announce the release of a new dataset on twitter without mentioning who is the victim
if he didn't receive anything nor any feedback, he will publish some data
than the real shit starts
* most firms didn't even upgrade their security during that period - you should do that from the moment you have received that mail (it also means that you will have to get in securityconsultants, new securityappliances, forensic advisers,......)
* most firms didn't start contacting the authorities and the privacycommission during that period - you should in the 24hours from the moment that you were informed that you would be breached (this doesn't mean that they publish that information)
you probably can start looking for a firm specialised in crisiscommunication
if it is heavy like easypay and mensura than you can start looking for a lawyer in case you will have complaints with the privacycommission or the courts from victims (and the longer you wait with doing the things above the longer the list of complaints will be and the more you at least will look guilty)
* the number of attacks against your network and data will increase because rex mundi is not the only one in the digital universe knowing how the push the button examine and extract if vulnerable (as that is all one has to do with modern sql injection software - I didn't use it - I just looked at it)
So if there are new targets being attacked in the next days than we will know in 2 to 3 weeks - in time for him to buy his christmas presents
Even if you decide to pay you still have to go through a total password reset and a total resecurisation of your internetconnections, data and webservices
meanwhile if you have some budget for next year, there are two essential things : stop sql injection (WAF and handmade tests) and use strong encryption and if you have enough money seperate your access to your backoffice totally from your newsportal (seperate server with seperate IP and seperate access rules and firewall protections and other dataflowrules (no downloads of data for example, only uploads).