A group claiming to have hacked a Dexia Bank subsidiary’s database is threatening to post sensitive customer information unless it receives an “idiot tax” of EUR150,000 by Friday.
In a pastebin statement addressed to the media, the unnamed group says it has “downloaded extensive confidential customer information” from servers belonging to Elantis, a mortgage and consumer credit unit of Belgium-based Dexia.
The data – a sample of which has been posted in the message – apparently includes loan applications featuring full names, job descriptions, ID card numbers, contact information and income details.
Read more on Finextra.
The full media statement follows:
Dear members of the media,
Last week, our group downloaded extensive confidential customer information from Elantis’ servers. Elantis is a money lending company which belongs to renowned Belgian bank, Dexia (Do not bother trying to
reach their website, they disconnected their server after we hacked into it).
In addition to database tables containing data such as internal login credentials, we downloaded numerous tables which contain Internet loan applications, as well as fully-processed applications. Those tables hold highly-sensitive data such as the applicants’ full names, their jobs, ID card numbers, contact information and details about their income.
It is worth pointing out that this data was left unprotected and unencrypted on Elantis’ servers.
We contacted Dexia over the weekend to offer them not to publicly release this data over the Internet if they agreed to pay us the equivalent of roughly EUR 150,000 before Friday, May 4th. So far they have declined to do so.
While this could be called ‘blackmail,’ we prefer to think of it as an ‘idiot tax’ for leaving confidential data unprotected on a Web server.
The only question that remains now is this — After they carelessly treated their clients’ data, will Dexia act to prevent their clients’ data from being published online, or is their clients’ confidentiality worth
less to them than EUR 150,000?
Time is running out.
The hackers involved did not identify themselves or point to any Twitter accounts.
Update: Loek Essers of IDG obtained some additional details on the breach. The bank says it will not pay blackmail, which is just as well as it seems the hackers didn’t give them any instructions as to how they were supposed to make the payment. It may well be that the hackers’ threat was just to call more attention to the bank’s lack of security for their data, but just making the threat could add years to any sentence if/when the hackers are caught.