BUSINESS HALACHA DAILY - COVERING PERTINENT BUSINESS TOPICS LEARN MORE

Data Capture: May Ransom Be Paid to Cyberthieves?

Adapted from the writings of Dayan Yitzhak Grossman

January 8, 2026

ManageMyHealth, a New Zealand medical records website, recently suffered a cyber extortion attack. A hacker group calling itself “Kazu” gained access to patient records and threatened to release them unless a $60,000 ransom was paid. According to state broadcaster Radio New Zealand:

The deadline has arrived for the ransom being demanded after hundreds of thousands of medical files were stolen from the country’s largest patient portal.

Manage My Health was still grappling with the massive data breach affecting more than 120,000 of its users…

It is believed that the deadline would expire at 5:37am, after a Telegram post announced that it would “leak everything” if a ransom was not paid within 48 hours at the same time on 4 January.

Health Minister Simeon Brown said the government had a long-standing position that ransoms should not be paid.[1]

Redeeming captives for more than their value

The Mishnah says we do not redeem captives for “more than their value.”[2] The Gemara gives two reasons for the prohibition:

  1. To avoid excessively burdening the community.
  2. To avoid incentivizing additional seizures.

Most poskim accept the latter reason as normative,[3] though some consider the matter unresolved.[4]

Would the Mishnah’s prohibition apply to paying ransom to cyberattackers?

Voluntary redemption

The Gemara explains that a point of divergence between the two reasons is where an individual voluntarily offers an excessive ransom for his relative; the former reason does not apply, but the latter does.[5]

With regard to cyber extortion, it would seem that the former reason is not applicable, while the latter might be, if the concern for incentivizing kidnapping can be extended to incentivizing ransomware attacks.

Data are not people

While there has been a great deal of discussion about the parameters of the Mishnah’s prohibition and its applicability to various modern scenarios (particularly those involving political terrorism), these scenarios have all involved human captives (usually living ones, and occasionally their remains); I am not aware of any discussion of paying ransom for data.

On the one hand, perhaps the concern for incentivizing crime does not apply, because cyberattacks are not as terrible as kidnappings. Although ransomware attacks on hospitals have been linked to deaths,[6] these links are tenuous and indirect, and it seems difficult to argue that halacha would consider such attacks to be the equivalent of kidnapping, given that it treats captivity as a fate worse than death by natural causes, by the sword, or by famine.[7]

On the other hand, given the relative ease with which such attacks can be perpetrated; the global reach of cyberattackers; the deep, society-wide vulnerability to such attacks; and the very real possibility of future attacks causing grave societal harm, including death, it can easily be argued that it is indeed imperative to avoid incentivizing them.

Ransoming oneself

Tosfos maintains that even the second reason applies only to ransoming others, but one is always permitted to ransom himself, because Chazal never restrained a person from relinquishing all he has to save his life;[8] this position is codified in the Shulchan Aruch. It can be argued, then, that according to either reason for the prohibition, a business is still entitled to pay any ransom on its own behalf. Perhaps, though, this dispensation is only when one’s life is at stake (as per the language of Tosfos) and does not extend to paying ransom to avoid nonlethal harm.

The value of data

A final consideration is that the prohibition is only to redeem captives for more than their value. In the original context of human captives, one interpretation of “value” is the captive’s price on the slave market, and if there is no local slave market, we estimate his value to a slaver who would transport him to one.[9] Others interpret the term in light of the need to avoid incentivizing future seizures; they understand that the problem is with overvaluing Jews relative to others, because that will cause kidnappers to specifically target Jews, but there is apparently no prohibition against paying excessive ransoms in general.[10]

With respect to the first definition of value in the classic sense of market price, much has been written about the business value of data, from the perspectives of legitimate businesses,[11] subjects of the data,[12] and the criminal underworld.[13] Depending on the nature of the data in question and which perspective is adopted, it will be more or less feasible to arrive at a concrete valuation of a particular collection of data.

According to the view that the problem is making Jews better targets than others, paying ransom to cyberattackers would be generally permitted, except where it would engender the perception that Jews and their businesses are especially attractive targets.

[1]Kim Baker Wilson and Ruth Hill. Manage My Health data breach ransom deadline arrives. Radio New Zealand.

https://www.rnz.co.nz/news/national/583248/manage-my-health-data-breach-ransom-deadline-arrives.

[2]Gittin 45a.

[3]Rambam Hilchos Matnos Aniyim 8:12; Radvaz ibid.; Kessef Mishneh ibid.; Ramban and Rashba to Gittin ibid.; Shulchan Aruch Y.D. 252:4.

[4] Ran ibid. Cf. Shu”t Bnei Vanim cheilek 1 siman 43 os 2 p. 150 for an exhaustive list of the views of the Rishonim on this question.

[5]Gittin ibid. and Rashi there.

[6]William Ralston. The untold story of a cyberattack, a hospital and a dying woman. Wired UK. https://www.wired.co.uk/article/ransomware-hospital-death-germany;

Nsikan Akpan. Ransomware and data breaches linked to uptick in fatal heart attacks. PBS Newshour. https://www.pbs.org/newshour/science/ransomware-and-other-data-breaches-linked-to-uptick-in-fatal-heart-attacks;

Brian Krebs. Study: Ransomware, Data Breaches at Hospitals tied to Uptick in Fatal Heart Attacks. Krebs on Security. https://krebsonsecurity.com/2019/11/study-ransomware-data-breaches-at-hospitals-tied-to-uptick-in-fatal-heart-attacks/.

[7]Bava Basra 8b.

[8]Tosfos Gittin ibid. s.v. Delo legarvu veleisu (alluding to Iyov 2:4).

[9]Shu”t Maharam Lublin siman 15.

[10]Shu”t HaRadvaz cheilek 1 siman 40. Cf. Pis’chei Teshuvah ibid. s.k. 5, and Bnei Vanim ibid. at length.

[11]The world’s most valuable resource is no longer oil, but data. The Economist. https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data;

Data Valuation—What is Your Data Worth and How do You Value it? Open Data Science. https://medium.com/@ODSC/data-valuation-what-is-your-data-worth-and-how-do-you-value-it-b0a15c64e516.

[12]Hanna Kozlowska. How much is your data worth? Quartz. https://qz.com/1655610/how-can-you-measure-the-worth-of-your-data/.

Pauline Glikman Nicolas Glady. What’s The Value Of Your Data? TechCrunch. https://techcrunch.com/2015/10/13/whats-the-value-of-your-data/.

[13]Brian Krebs. How Much Is Your Identity Worth? Krebs on Security. https://krebsonsecurity.com/2011/11/how-much-is-your-identity-worth/.

Brian Krebs. How Much is Your Gmail Worth? Krebs on Security. https://krebsonsecurity.com/2013/06/how-much-is-your-gmail-worth/.

image_pdfimage_print

Related Posts

NEW Yorucha Program >