Within the EU, GDPR seems to have an interesting impact on how companies/organisations respond to cyber attacks like this: if they don't pay the ransom, the data is leaked, and they are now liable under GDPR and will likely have to pay a (very large) fine to the regulator for the data leak. Attackers are surely savvy to this, and should set the ransom to be slightly lower than what they estimate the fine would be, which 'motivates' the organisation to pay the ransom.<p>In theory however, even if the organisation recovers the data by paying the ransom, they should still report this as a data breach, and would probably be fined by the regulator even though the data was recovered, since the breach still occurred in the first place.<p>I'd be very interested to know the impact the new California state laws on privacy have had on UC's decision to (seemingly) pay the ransom; I'm not based in the US, nor am I familiar with the jurisdiction, but I imagine that this will have been taken into account and might explain why UC acted differently to MSU here.