Ask HN: Ethical Hacker" or Criminal Scammer?

My company does not participate in any sort of bug bounty programs. An "ethical hacker" hacked into one of our small back end tools and is pressuring us for money to reveal what he did and is sort of threatening to release confidential information from it. How should we handle this?