250K Photos Leaked in Cosmetic Surgery Extortion Attack

Almost a quarter-million private photos—including nude photos—have been leaked by cyber-criminals following the hack of a Lithuanian cosmetic surgery clinic.

The Fancy Bear/APT28 hacking group, using the nickname "Tsar Team,” is behind the attack, according to reports, showing that it’s not just interested in meddling with various elections. It also likes to make money.

Tsar Team claims that the photos came from the Grozio Chirurgija clinic servers, and has been demanding hefty ransoms from the victims (who come from more than 60 countries around the world) in exchange for not releasing the pictures. They demanded payments of between €50 and €2,000 in Bitcoin, with nude photos, passport scans and national insurance numbers commanding higher sums.

The group also offered to give the clinic the entire database in exchange for 300 Bitcoin—an offer that was refused. So, with their thresholds not met, they’ve made good on their threats.

“It’s extortion. We’re talking about a serious crime,” the deputy chief of Lithuania’s criminal police bureau Andzejus Raginskis told reporters.

“The idea of blackmailing individuals with disclosure of personal information certainly isn’t new, though this may be the first time that we’ve seen that tactic employed with personal medical data stolen as part of a cyber-attack,” said Tim Erlin, vice president of product management and strategy at Tripwire.

Medical data is a particularly lucrative type of data for several reasons, according to Paul Calatayud, CTO at FireMon.

“First, and most importantly, medical data such as medical health records and personally identifiable data such as age, name and Social Security Numbers can be used to establish new credit, apply for medical insurance and commit fraud, as well as be used to expose medical conditions of famous people and heads of state,” he said, via email. “This information is also persistent, meaning it cannot be easily reset unlike a stolen credit card. When credit cards are stolen, the consumer impacted is quickly restored when a new card is issued and all fraudulent transactions are dealt with. If your medical records end up in the wrong hands, identity theft allows hackers to potentially open up many cards in your name and you cannot simply be issued a new identity. It's this persistent harm that makes this data particularly valuable to hackers as they can resell the data to multiple buyers.”

Medical test results and health conditions do not have value on the black market, but pictures of patients, or divulging medical conditions such as HIV, would cause great harm to those patients if made public.

“This holds value to those institutions charged with protecting these secrets,” said Calatayud.

All healthcare providers should take the time to review not only their tools and processes for defense, but also their incident response plans.

“The worst time to create an incident response plan is during an attack,” Erlin noted.

What’s Hot on Infosecurity Magazine?