Sophos Cloud Optix
Hackers say they have broken into Elantis, a Belgian credit provider owned by Dexia, and demand payment of €150,000 (US$197,000).
If Elantis doesn’t pay up before tomorrow (May 4), say the hackers, they will publish confidential customer information, reports PCWorld.
According to Softpedia, the hackers have stated the following:
"In addition to database tables containing data such as internal login credentials, we downloaded numerous tables which contain Internet loan applications, as well as fully-processed applications. Those tables hold highly-sensitive data such as the applicants' full names, their jobs, ID card numbers, contact information and details about their income"
The bank confirmed the data breach on Thursday, though it stated that it will not give in to extortion threats.
Softpedia quote the hackers, “While this could be called ‘blackmail,’ we prefer to think of it as an ‘idiot tax’ for leaving confidential data unprotected on a Web server.”
Now, I have no problem with third-parties contacting legitimate sites to alert them to network insecurities. Improving security is a good thing, and there are a lot of sites out there harbouring vulnerabilities and less-than-ideal security measures.
And I also get that this threat of pushing out customer data is an embarrassing one for the banks. But, doesn’t the simple act of blackmailing lower you to yuckiest societal rungs?
The sad reality here is that the real victim is the bank’s customers, not the bank. It is the customer data that is at risk. Their only fault was partnering with the wrong bank at the wrong time.
The bank has told the press that they are not prepared to pay. That they don’t like blackmail.
Let’s hope that whatever the outcome of this scenario, Elantis likes security and will address its security deficiencies. And they also better figure out a way to make it up to their customers whose identities are currently at risk.
Briefcase full of money image courtesy of Shutterstock
wordle image courtesy of Shutterstock
Instead of just posting all the confidential data on the web for just anyone to use… which is the easiest thing to do… that's just hurting the customers. So I think they should contact each of the customers they have info on (if they have address or email type contact info) and let them know their info have been lost by the bank… if everyone pulls out their money or starts complaining – maybe then the bank will do something.
Yes, if I was contacted with someone who could tell me all my info that is not freely shared I'd be up in arms, and the bank would not only be losing my business but paying for identity protection as well.
I think they will not publicize this information. They should use it instead.
That would be quite the clever move; contacting the customers and let them know what happened and they withdraw everything and bank collapses?