Quest Records LLC breach linked to TheDarkOverlord hacks; more entities investigate if they’ve been hacked

At the end of June, DeepDotWeb broke the story that hackers calling themselves TheDarkOverlord (TDO) had put three databases with patient information up for sale on the dark net.  Although the owners of the databases were not listed, DataBreaches.net was able to identify two of the three entities as the Athens Orthopedic Clinic (AOC) in Atlanta and Midwest Orthopedic Pain and Spine (MOPS) in Farmington, Missouri. Both entities reportedly received ransom demands from TDO to pay up if they wanted their patient data destroyed and not sold, but as of August 6, no ransom had been paid, according to TDO. Whether any has been paid since then is unknown, but doubtful. The third database, from an entity originally described as being in the midwest but later identified more specifically as being in Oklahoma City, was never identified by DataBreaches.net nor named by TDO. TDO later claimed that they wouldn’t be naming them because the entity had paid the ransom and their for-sale listing was removed from TheRealDeal Market. But paying any ransom does not negate any obligations under HIPAA and HITECH to notify patients and HHS of a breach, and DataBreaches.net notes that there is currently no entry on HHS’s public breach tool that would correspond to any incident in Oklahoma affecting approximately 210,000 patients. Either the Oklahoma City entity did not report the incident to HHS, they reported but HHS has yet to post the report, or TDO fabricated claims about an OKC database paying ransom to boost its reputation. Given that TDO lied to some news outlets (including this one) in other claims, any of the three explanations seem possible at this point. The day after they created headlines over those three databases for sale, TDO also listed for sale what they described as an insurer’s database with 9.3 million records. After attempting to contact people whose data were included in an expanded sample of data provided to this site by TDO,  DataBreaches.net suspected that the database was linked to United Healthcare, but UHC denied it was their data. As I noted in my report, their denial statement did not really rule out that it was one of their vendors. In a recent encrypted chat with a TDO spokesperson, the spokesperson claimed that the data had come from a vendor who was a lead generator for UHC but that UHC was “responsible.” TDO did not clarify what they meant by that and did not name that vendor. To the best of DataBreaches.net’s information, no ransom was paid in that situation, either. In July, TDO started leaking some of the AOC and MOPS patients’ information on Pastebin, while yet three more entities had their patient databases listed for sale on TheRealDeal. DataBreaches.net was able to identify two of three, and as I had done with AOC, notified those two promptly to alert them that their patient data appeared to have been compromised: Prosthetic & Orthotic Care, Inc. (P&O Care), who  would also have patient data and images leaked on Pastebin and Twitter, an entity in New York that DataBreaches.net was unable to identify, and PilotFish Technology (PFT). The source code for the latter was subsequently listed for sale on AlphaBay (see InfoArmor’s detailed analysis of the code and the risks it poses). In an encrypted chat, TDO confirmed to DataBreaches.net that they had attempted to extort PFT. As far as DataBreaches.net knows, neither P&O nor the unnamed NY entity paid any ransom. So far, then, the only publicly mentioned entity/victim that may have paid any ransom is an unnamed OKC entity. TDO’s business model of attempting to extort entities in the healthcare sector via putting their databases up for sale, naming them if they resisted paying ransom, and then leaking patient data and alerting the media to such developments to increase the pressure on the victims, does not appear to have had any clear commercial success. Given that they were demanding fairly high ransoms, one can only wonder if their model might have worked if they had demanded smaller ransom amounts, although RexMundi also encountered refusal to pay ransom in their European-based attacks. But even if the extortion business model appeared to be something of a commercial flop as publicly executed, the fact remains that a number of entities in the healthcare sector had their patient or client information hacked and acquired – and put up for sale. And in addition to the databases that have been, and remain, listed for sale, other victim entities were alluded to by TDO publicly and in encrypted chats with DataBreaches.net. Other Entities Investigating Although a TDO spokesperson told DataBreaches.net and other news outlets that they had a 0day that they used to gain access to some of their targets,  some victims’ disclosures have made reference to compromise of an unnamed vendor’s credentials as being responsible for their breach. Last week, DataBreaches.net became aware that at least two previously unnamed entities are investigating whether that vendor’s breach resulted in compromise of their patient information. One of those entities is Peachtree Orthopedic Clinic (POC) in Atlanta. In a telephone conversation last Wednesday, an IT employee confirmed to DataBreaches.net that they have been investigating for weeks, trying to assess what may have happened and that the FBI has been assisting them. The employee also confirmed that they were a client of the vendor that DataBreaches.net has been able to identify and names later in this report. Several pieces of information had led me to suspect that POC might have become a victim of TDO, but I’ll only mention two of them here for now. One piece was that POC’s web site has a section on Team Affiliations that lists the Atlanta Braves and other teams.  As I had reported on June 29, TDO had informed me in a private chat that they intended to release a database that day that I had described in my report as relating to a “major Atlanta sports team.”  That team had actually been named by TDO to me as the Atlanta Braves. But TDO had also informed me that it was not the Atlanta Braves organization that had been hacked but another entity – a clinic – that was involved with the Atlanta Braves and other sports teams, a description that matches POC’s web site. Second, POC is an orthopedic clinic, and TDO had hit other orthopedic clinics, including Athens Orthopedic Clinic, which, like Peachtree, is also in the Atlanta area. Several hours after my phone conversation with the POC […]

As threatened, Rex Mundi dumps Labio patients’ diagnostic test results

As they had threatened to do if Labio did not pay them €20,000, the hacker collective known as Rex Mundi has started dumping/disclosing identifiable patient data. The dump was announced on Twitter by the @RexMundi2015 account. DataBreaches.net confirmed that the records appear to be the results of lab tests performed on patients whose names, dates of birth, referring doctor, and test results are now publicly exposed. As of the time of this posting, there is still no mention of the incident on Labio’s web site, and the firm has not yet responded to an inquiry from DataBreaches.net earlier today as to whether they have notified affected patients or intend to notify them. Labio joins 16 other firms who have had their client or patient data revealed after refusing to pay Rex Mundi’s extortion demands. So far, none of the firms appear to be U.S. – based. When asked what percent of firms do pay them, a spokesperson for Rex Mundi informed DataBreaches.net that over 50% of the entities they have hacked have paid the demanded monies to keep the hack quiet and to avoid having their clients’, employees’, or patients’ personal information publicly dumped.

Rex Mundi statement on their motives and methods

@RexMundi2015 issued a statement today, to set the record straight. Dear friends and foes, Over the past few months, we have read a series of inaccurate facts about us in the press. We therefore would like to take the time to correct some of the most common misconceptions regarding our activities. – The companies we targeted have only one thing in common: mediocre IT security protocols or poorly-designed Web applications. After successfully hacking a website, we always give its owners a clear choice: pay up to protect the data they failed to secure from getting released over the Web or refuse to pay to clean up their own mistakes. To this, of course, some might object that those companies are not responsible for getting hacked — we are. But, think about this scenario for a moment: your best friend lends you her car. You park it at night in a sketchy neighborhood and leave it unlocked with the keys on the front seat. Coming back in the morning, you realize the car has of course been stolen. Who is responsible? The thief of course should be blamed for it. But aren’t you also to blame? Your friend trusted you to keep her car safe, something which you failed to do. Similarly, while we are obviously to blame for these hacks, we feel that the companies we target are also partly responsible for their users’ data getting stolen. All in all, this creates a very interesting and fascinating moral dilemma. – Unlike other groups out there, we have no interest whatsoever in making any kind of political or social statement. We are only interested in making money, which brings us to the code of conduct we have put in place. This code of conduct was devised not out of some misplaced sense of honor, but simply to maximize our chances of getting paid. It is quite simple: * Communication and/or negotiations between us and our targets is never released, regardless of whether we get paid or not. * We never discuss or even acknowledge the fact that some of our past targets might have paid us. * We automatically delete all of the stolen data once a full payment has been made. * We never target the same company twice and, for obvious reasons, we always stick with the original requested amount. Once again, this code of conduct is simply there to ensure we do end up getting paid. If we posted the data of a company that has paid us, no other future target would ever agree to pay us. Similarly, asking for more money once we have already been paid would be pointless as no target would pay a second time out of fear we might ask for even more money a third time. – Finally, we would like to mention that whether a company agrees to pay us or not has no impact on our future endeavors. We will continue to target vulnerable websites, regardless of how many companies refuse or accept to pay. Twitter: @RexMundi2015 Rex Mundi PS: Shouldn’t Labio have informed its patients of the breach?

Rex Mundi threatens to expose patients’ blood test results if lab doesn’t pay extortion demand (update 1)

Rex Mundi is back again. After hacking Synergie and dumping data from Temporis in January, the hackers, who  have made a business of hacking for profit, have announced that they have now hacked a diagnostic laboratory in France, Labio. And once again, they announced the hack on Twitter: Labio.fr hacked last week. 100’s of blood test results in our possession. #infosec #hack #piratage #Labio — Rex Mundi (@RexMundi2015) March 13, 2015 @Cyber_War_News @TheHackersNews We hacked Labio.fr and downloaded 100’s of blood test results in PDF.We post them Tues if Labio doesn’t pay. — Rex Mundi (@RexMundi2015) March 13, 2015 A pop-up notice on the lab’s web site this afternoon indicated that the server was temporarily unavailable due to a “technical problem:” SERVEUR DE RESULTATS INDISPONIBLE Suite à un problème technique, le serveur internet de résultats est temporairement indisponible. En cas d’urgence, merci de vous mettre en relation avec votre laboratoire qui a la possibilité de vous transférer vos résultats pas E-mail, fax ou courrier. La direction de LABIO vous présente ses excuses pour ce désagrément. In response to a tweeted question from DataBreaches.net, Rex Mundi indicated that they had demanded €20,000 from Labio not to release the data. Because they have followed through on their threats in the past when organizations have not paid the extortion demands, we’ll have to see what happens on Tuesday. Other entities hacked by Rex Mundi include Swiss bank Banque Cantonale de Geneve, French loan company Credipret, Swiss web hosting company Hoststar, Tobasco.be, Z-Staffing.org, Easypay Group payroll company in Belgium, Webassur, Thomas Cook Belgium, Finalease Car Credit, Mensura, Drake International, Accord.nl, ECAAssurances, Mutuelle La Frontaliere, and Domino’s Pizza, among their targets. Update 1 (March 14): As they have done in other hacks, the hackers have posted the names of those whose data they have acquired. They did not post any lab results, but the names and dates of the reports were posted with a preface: Dear friends and foes, Last week, we hacked the website of Labio, a French clinical laboratory. From the test results server, we downloaded hundreds of blood test results in addition to all of the 40,000+ stored login credentials. We offered Labio not to release their patients’ data in exchange for a very reasonable EUR 20,000. Unfortunately, so far, it seems as if they would rather save a little bit of money rather than protect their patients’ privacy. Something which is rather ironic considering they failed to secure this data in the first place. If we do not get paid before next Tuesday at 4PM, we will release all of the data in our possession — including the blood test results. If your name is listed below, your results are unfortunately now stored on our servers. Do not hesitate to call Labio and ask them why they so far declined to protect your privacy.

Rex Mundi dumps more data after another entity doesn’t pay extortion demands

Rex Mundi has hacked and dumped data from Temporis, a French employment/recruitment agency. As they have done in the past, the hackers issued a statement and announced the data dump on Twitter, where they currently post as @rexmundi15: Last week, we hacked the servers of Temporis, allegedly France’s largest network of franchised temp work agencies (www.temporis-franchise.fr). From their website, we downloaded a trove of confidential data, which include their clients list as well as a massive list of thousands of profiles belonging to job applicants. What is interesting about this list is the fact that it contains both the applicants’ email addresses and user-generated passwords. Since a lot of people re-use the same passwords from site to site, these credentials could allow anyone to log in to the job applicants’ email accounts or other services. We offered Temporis not to release their data in exchange for 20,000EUR. They never replied and we therefore published their data today. Temporis’ database dump can either be downloaded from our dark web website or from the following URL: [redacted by DataBreaches.net] If you are a Temporis client or one of the people who applied for a job through their website, one thing should be clear to you now: your privacy is not even worth 20,000EUR to Temporis. Rex Mundi DataBreaches.net e-mailed Temporis to request a statement about the claims and to ask whether they were notifying those affected. A Temporis spokesperson responded that all their users were notified of the privacy breach, and that all accounts involved in the hack (about 24,000) have been modified. Temporis also issued a press statement, a copy of which they sent to DataBreaches.net. The press release – if I am translating it correctly – states that Temporis learned of the breach on January 19 when Rex Mundi contacted them.  It also says that they do not collect any bank details or social security account numbers from job applicants and that applicants’ CVs are secure.