Hackers blackmail Belgian bank Elantis over unencrypted customer data
The hackers call their £122,000 demand an "idiot tax" because the information was unencrypted on the bank's web server
By Loek Essers | Published: 17:00, 03 May 2012
Hackers claimed to have breached the systems of the Belgian credit provider Elantis and threatened to publish confidential customer information if the bank does not pay €150,000 (£122,000) before Friday, May 4, they said in a statement posted to Pastebin. Elantis confirmed the data breach on Thursday, but the bank said it will not give in to extortion threats.
The hackers claim to have captured login credentials and tables with online loan applications which hold data such as full names, job descriptions, contact information, ID card numbers and income figures. They demanded a payment of "the equivalent of roughly €150,000", with which Elantis could prevent the publication of confidential customer information, they said in a Pastebin post published on Tuesday. According to the hackers the data was stored unprotected and unencrypted on the servers. To prove the hack, parts of what they claimed to be captured customer data were published.
"While this could be called 'blackmail,' we prefer to think of it as an 'idiot tax' for leaving confidential data unprotected on a Web server," they said.
Related Articles on Techworld
The hackers contacted the bank via email last Friday, said Moniek Delvou, spokeswoman for Belfius Bank (formerly known as Dexia), Elantis' parent company. "We assume they possibly captured the data of 3,700 customers," Delvou said, adding that the compromised data could belong to existing and potential customers. Elantis customers were informed of the data breach, according to Delvou.
After finding out what happened the Elantis site was taken offline and the bank contacted the Belgian Federal High Tech Crime Unit which is now investigating the case, Delvou said. An unnamed specialized American security firm is also conducting an investigation, she added.
"We are not prepared to pay," Delvou said. "We don't like blackmail."
The hackers did not specify in what way Elantis should pay the amount, and after the email sent last Friday there has been no contact between the hackers and the bank, she said. Elantis plans to put its site back online when it is deemed secure enough, according to Delvou.
The Federal High Tech Crime Unit could not immediately comment on the pending investigation. The hackers could not be contacted.
Comments
Larry Warnock said: Very rarely do Iagree with anything that is said by hacker groups And I never agree with their tacticsor stated mission but I must say this time the hackers were dead on whenthey referred to this ransom payment as an idiot taxYes whoever decided this at the bank wasindeed an idiot Yet we see thisagain and again It makes no sense tome I could understand if encryptingdata was difficult or expensive Itsimply isnt There are many solutionson the marketSome for ascheap as 500 a month So now the bank has been asked to pay a150000 ransom using the ransom math that is 25 years of encryption for thecost of this one ransom payment but even worse they will LOSE customersbecause of this They have already losttheir customers trust How can a bankpossibly be trusted with money if they cant even be trusted with your personaldata It is outrageous The fact is that there are manyways to implement data encryption Damnthere are even open source solutions to this problem It is appalling to me and if I was ashareholder I would demand that the CEO be replaced Yes that is how strongly I feel about this topic Customer andorsensitive company data needs to be protectedEncryption is not a silver bullet but one of the layers of securitythat should be used by ALL companies Itis not difficult and it is not expensiveIt continues to amaze me to learn of data breaches and then later it isdisclosed that basic security steps were ignored Give me a break Shame on Elantis Bank I wish I was a customer I would close my account