Rex Mundi statement on their motives and methods
@RexMundi2015 issued a statement today, to set the record straight.
Dear friends and foes,
Over the past few months, we have read a series of inaccurate facts about us in the press. We therefore would like to take the time to correct some of the most common misconceptions regarding our activities.
– The companies we targeted have only one thing in common: mediocre IT security protocols or poorly-designed Web applications. After successfully hacking a website, we always give its owners a clear choice: pay up to protect the data they failed to secure from getting released over the Web or refuse to pay to clean up their own mistakes. To this, of course, some might object that those companies are not responsible for getting hacked — we are. But, think about this scenario for a moment: your best friend lends you her car. You park it at night in a sketchy neighborhood and leave it unlocked with the keys on the front seat. Coming back in the morning, you realize the car has of course been stolen. Who is responsible? The thief of course should be blamed for it. But aren’t you also to blame? Your friend trusted you to keep her car safe, something which you failed to do. Similarly, while we are obviously to blame for these hacks, we feel that the companies we target are also partly responsible for their users’ data getting stolen. All in all, this creates a very interesting and fascinating moral dilemma.
– Unlike other groups out there, we have no interest whatsoever in making any kind of political or social statement. We are only interested in making money, which brings us to the code of conduct we have put in place. This code of conduct was devised not out of some misplaced sense of honor, but simply to maximize our chances of getting paid. It is quite simple:
* Communication and/or negotiations between us and our targets is never released, regardless of whether we get paid or not.
* We never discuss or even acknowledge the fact that some of our past targets might have paid us.
* We automatically delete all of the stolen data once a full payment has been made.
* We never target the same company twice and, for obvious reasons, we always stick with the original requested amount.
Once again, this code of conduct is simply there to ensure we do end up getting paid. If we posted the data of a company that has paid us, no other future target would ever agree to pay us. Similarly, asking for more money once we have already been paid would be pointless as no target would pay a second time out of fear we might ask for even more money a third time.
– Finally, we would like to mention that whether a company agrees to pay us or not has no impact on our future endeavors. We will continue to target vulnerable websites, regardless of how many companies refuse or accept to pay.
PS: Shouldn’t Labio have informed its patients of the breach?