How can a company ensure cybercriminals destroy hacked data after payment?

How can the company be certain that the data is destroyed,

It cannot be certain. The only hope that it is part of the criminals business model to maintain a good reputation in that one gets what is claimed.

But business models might change. For example if the existing ransomware business does not provide enough profit anymore it might be worth checking if one can get more profits from previously collected (and not actually deleted) data.

... what reparation can it get if it is found later that the data is passed on after payment?

None. They are dealing with criminals in the first place.


They can't. There is no way to prove that one does not possess some information. So whenever someone claims that they destroyed all copies they had of a piece of information, you have nothing but their word that this is true.


Reputation is an important asset for an extortionist. They will not be paid if they are known not to obey the deals.

Then again, anonimity is another important asset for any criminal (as in not being caught and prosecuted).

So in practice, all these extortionists share a common "body of reputation" and everyone of them has their very own "prisoner's dilemma". They can try to get some more money and gradually ruin the business model for everyone doing the same (including themselves) and also face some resistance from their coleagues - or - obey the deals, not get the extra money now and keep the business model strong.

The data crimes also have the extra peculiarity that the criminals can keep the data indefinitely and either decide the dilemma later or lose themselves the control over the data (and get extorted themselves). Keeping the data, they also risk the data and their connection to it being found later by the law enforcement.

The practice shows than in most (but not all!) cases the extortionists obey the deals.