Feeds

Hackers attempt to BLACKMAIL plastic surgeons

Nip, tuck and pwn

Beginner's guide to SSL certificates

Cybercrooks attempted to extort a chain of cosmetic surgeons after hacking into its systems and stealing an estimated 480,000 files stuffed with info about prospective nip-'n'-tuck customers.

Computer systems at Harley Medical Group, which has 21 clinics across the UK, were pillaged to loot personal details from nearly half a million records referring to people considering plastic surgery. The attack last month was followed by an attempt by hackers to extort blackmail money from the clinic under the threat that sensitive personal information would be released otherwise.

Harley Medical Group did not cave into the demands. A spokesman for the clinic told El Reg that the "perpetrator" compromised its systems after exploiting flaws in its website inquiry form. All sorts of personal information including potential clients’ names, addresses, dates of birth, contact details as well as details information about the type of cosmetic procedure they were inquiring about was exposed as a result of the breach.

Both West Midlands police and data privacy watchdogs at the UK’s Information Commissioner’s Office have been informed about the breach. Harley Medical Group said that neither detailed clinical information nor financial information was exposed as a result of the breach. The spokesman said patient and financial records are held on a separate system, which was unaffected by the incident.

He added that 480,000 records were affected but since prospective clients regular make multiple inquiries about various treatments the actual number of people whose private details have been exposed will be less than this.

The clinic began notifying customers and potential clients about the incident two weeks ago, we're told, but news of the incident only broke on Tuesday.

The news and blog portions of the clinic's site returned a page 404 error on Wednesday lunchtime.

Its Facebook page is still available – if a little, ahem, tight-lipped about the breach. However a series of updates from the official Harley Medical Group Twitter feed do shed further light on the incident.

It added later:

Coverage of the security flap can be found in stories by the Daily Mail (here), The Independent (here) and the Daily Mirror (here).

"If you’re considering having a tummy tuck, a breast enlargement or some other form of cosmetic surgery, chances are that you want to keep the treatment private," writes veteran security expert Graham Cluley in a post on BitDefender's HotForSecurity blog. "There aren’t many people who are comfortable admitting that they have confidence issues with their physical appearance. And, for that reason, you would hope that cosmetic surgeries keep a close guard of the personal data of their clients and potential customers," he added.

"Such information could be used not just to embarrass an individual, but also – potentially – to extort money from them. Furthermore, the private information could be sold to tabloid newspapers or entertainment websites which are scrabbling for some showbiz tittle tattle to fill their pages," he added.

Cluley praised Harley Medical Group for coming clean while faulting it for evidently inadequate security that allowed criminal hackers to riffle through its systems in the first place. "Everyone will be disappointed to hear that the private information of thousands of people has been exposed by the company’s sloppy security. Any organisations storing sensitive information have a duty to properly defend it with layered security, properly hardened websites and strong tough-to-crack encryption." ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
prev story

Whitepapers

Go beyond APM with real-time IT operations analytics
How IT operations teams can harness the wealth of wire data already flowing through their environment for real-time operational intelligence.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.