Part 4 of a special five-part series.
When the first extortion e-mail popped into Michael Alculumbre's inbox, he had no idea it was about to cost his business nearly $500,000.
The note arrived in early November of last year, as Alculumbre's London-based transaction processing company, Protx was being hit by a nasty distributed denial of service (DDoS) attack. Zombie PCs from around the world were flooding Protx.com (the company's Web site) and the transaction processing server that was the commercial heart of the business.
In extortion e-mail's broken English, someone identifying himself as Tony Martino proposed a classic organized-crime protection scheme. "You should pay $10,000," Martino wrote. "When we receive money, we stop attack immediately." The e-mail even promised one year's protection from other attackers for the $10,000 fee.
"Many companies paid us, and use our protection right now," Martino said. "Think about how much money you lose, while your servers are down."
The Protx attackers had one thing right: online attacks can be expensive. A 2004 PriceWaterhouseCoopers survey of more than 1000 businesses in the UK found that, on average, companies spent more than $17,000 on their worst security incident that year. (A PDF of the report may be found here.) For large companies, that amount was closer to $210,000, the study found. For companies of either size, most of the loss was due to the disruption in their ability to do business, with expenses for troubleshooting the incident and actual cash spent responding to it accounting for considerably less.