In June 2024, Cambridge University Press & Assessment — the publishing and assessment arm of the University of Cambridge — was targeted by the ransomware group INC Ransomware, which operates through double extortion: in addition to compromising systems, it steals data and threatens to publish it if the ransom is not paid. As a precautionary measure, part of the systems were shut down, as reported by Times Higher Education and by GÉANT Security.
By the end of June, the group published internal documents on its leak site as proof of the attack — supplier invoices, service contracts, and confidential correspondence. This was not a customer database, but exactly the kind of business document that any company accumulates on a daily basis and rarely protects with the same care given to production systems.
That is where the lesson lies for any manager. The most serious damage doesn't always come from the customer database: it comes from contracts, proposals, invoices, and emails that, when exposed, create legal, commercial, and reputational vulnerabilities. And in double extortion, having a backup is not enough — the problem is no longer about "getting back up and running" but about "these documents cannot become public."
Does your company know where its contracts and sensitive data are — and who can access them?
Reducing this risk starts with visibility and data classification: knowing where critical documents live, restricting access to the minimum necessary, enforcing multi-factor authentication, and monitoring with 24/7 detection and response to contain the attacker before exfiltration. Combined with isolated backups and a rehearsed incident response plan, this turns a potentially devastating leak into a contained incident. Protecting sensitive data is not just about avoiding downtime — it's about ensuring that what is confidential stays that way.