Feeds

Hackers attempt to BLACKMAIL plastic surgeons

Nip, tuck and pwn

Using blade systems to cut costs and sharpen efficiencies

Cybercrooks attempted to extort a chain of cosmetic surgeons after hacking into its systems and stealing an estimated 480,000 files stuffed with info about prospective nip-'n'-tuck customers.

Computer systems at Harley Medical Group, which has 21 clinics across the UK, were pillaged to loot personal details from nearly half a million records referring to people considering plastic surgery. The attack last month was followed by an attempt by hackers to extort blackmail money from the clinic under the threat that sensitive personal information would be released otherwise.

Harley Medical Group did not cave into the demands. A spokesman for the clinic told El Reg that the "perpetrator" compromised its systems after exploiting flaws in its website inquiry form. All sorts of personal information including potential clients’ names, addresses, dates of birth, contact details as well as details information about the type of cosmetic procedure they were inquiring about was exposed as a result of the breach.

Both West Midlands police and data privacy watchdogs at the UK’s Information Commissioner’s Office have been informed about the breach. Harley Medical Group said that neither detailed clinical information nor financial information was exposed as a result of the breach. The spokesman said patient and financial records are held on a separate system, which was unaffected by the incident.

He added that 480,000 records were affected but since prospective clients regular make multiple inquiries about various treatments the actual number of people whose private details have been exposed will be less than this.

The clinic began notifying customers and potential clients about the incident two weeks ago, we're told, but news of the incident only broke on Tuesday.

The news and blog portions of the clinic's site returned a page 404 error on Wednesday lunchtime.

Its Facebook page is still available – if a little, ahem, tight-lipped about the breach. However a series of updates from the official Harley Medical Group Twitter feed do shed further light on the incident.

It added later:

Coverage of the security flap can be found in stories by the Daily Mail (here), The Independent (here) and the Daily Mirror (here).

"If you’re considering having a tummy tuck, a breast enlargement or some other form of cosmetic surgery, chances are that you want to keep the treatment private," writes veteran security expert Graham Cluley in a post on BitDefender's HotForSecurity blog. "There aren’t many people who are comfortable admitting that they have confidence issues with their physical appearance. And, for that reason, you would hope that cosmetic surgeries keep a close guard of the personal data of their clients and potential customers," he added.

"Such information could be used not just to embarrass an individual, but also – potentially – to extort money from them. Furthermore, the private information could be sold to tabloid newspapers or entertainment websites which are scrabbling for some showbiz tittle tattle to fill their pages," he added.

Cluley praised Harley Medical Group for coming clean while faulting it for evidently inadequate security that allowed criminal hackers to riffle through its systems in the first place. "Everyone will be disappointed to hear that the private information of thousands of people has been exposed by the company’s sloppy security. Any organisations storing sensitive information have a duty to properly defend it with layered security, properly hardened websites and strong tough-to-crack encryption." ®

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.