Cyber crooks may have broken into Harley Medical Group, a cosmetic surgery firm with 21 clinics in the UK, to filch the intimate details of about 480,000 potential patients and then try to extort money from the company.
The company believes that one intruder struck last month, managing to get their hands on online forms sent in from people querying about procedures such as tummy tucks and liposuction.
From a statement sent by Chairman Peter Boddy to all clients of the company:
We recently became aware that an unknown individual had deliberately bypassed our website security, gaining access to information from initial website enquiries in an attempt to extort money from the company.
The intruder also made off with potential clients’ names, email addresses, phone numbers, dates of birth and addresses.
The company insists that neither clinical nor financial information was accessed.
No other details about how the thieves committed the caper are available yet.
Harley’s management didn’t give in to the thieves’ demands. Instead, they called the police and the Information Commissioner’s Office.
Then, they beefed up their online security systems and apologised to customers, a spokesman said:
The police and the information commissioner were notified and we contacted everyone whose inquiry may have been accessed to apologise and to reassure them that all clinical and financial records remain totally secure. We have taken action to further strengthen the security around website inquiries.
It’s certainly easy to see why a clinic that offers nose jobs, breast augmentation – “boob jobs”, as media enjoys calling them – or similar surgeries would be a juicy target for extortionists.
Some people who have these type of surgeries may not want to admit to it publicly. Particularly when, *ahem*, they get dubbed with somewhat derisive names.
We’ve seen a rash of cyber extortion cases, many of a sexual nature, such as the guy who tried to extort Miss Teen USA with the webcam photos he got from her hacked computer.
Another case involved two Polish programmers who were recently jailed for 5 years for DDoS and cyber-extortion of a UK-based online casino.
Nobody should have to fear for the future of their business because of thieves and extortionists, but unfortunately, that’s a constant possibility for online businesses.
Anybody who transacts with customers online – most particularly over intimate or potentially embarrassing things – has got to believe it could happen to them, and accordingly batten down the hatches, security-wise.
It’s good that Harley Medical Group’s doing it now. Hopefully similar businesses will learn from its experience and do the same – before it’s too late and it happens to them.Follow @NakedSecurity