Feeds

Hackers attempt to BLACKMAIL plastic surgeons

Nip, tuck and pwn

Website security in corporate America

Cybercrooks attempted to extort a chain of cosmetic surgeons after hacking into its systems and stealing an estimated 480,000 files stuffed with info about prospective nip-'n'-tuck customers.

Computer systems at Harley Medical Group, which has 21 clinics across the UK, were pillaged to loot personal details from nearly half a million records referring to people considering plastic surgery. The attack last month was followed by an attempt by hackers to extort blackmail money from the clinic under the threat that sensitive personal information would be released otherwise.

Harley Medical Group did not cave into the demands. A spokesman for the clinic told El Reg that the "perpetrator" compromised its systems after exploiting flaws in its website inquiry form. All sorts of personal information including potential clients’ names, addresses, dates of birth, contact details as well as details information about the type of cosmetic procedure they were inquiring about was exposed as a result of the breach.

Both West Midlands police and data privacy watchdogs at the UK’s Information Commissioner’s Office have been informed about the breach. Harley Medical Group said that neither detailed clinical information nor financial information was exposed as a result of the breach. The spokesman said patient and financial records are held on a separate system, which was unaffected by the incident.

He added that 480,000 records were affected but since prospective clients regular make multiple inquiries about various treatments the actual number of people whose private details have been exposed will be less than this.

The clinic began notifying customers and potential clients about the incident two weeks ago, we're told, but news of the incident only broke on Tuesday.

The news and blog portions of the clinic's site returned a page 404 error on Wednesday lunchtime.

Its Facebook page is still available – if a little, ahem, tight-lipped about the breach. However a series of updates from the official Harley Medical Group Twitter feed do shed further light on the incident.

It added later:

Coverage of the security flap can be found in stories by the Daily Mail (here), The Independent (here) and the Daily Mirror (here).

"If you’re considering having a tummy tuck, a breast enlargement or some other form of cosmetic surgery, chances are that you want to keep the treatment private," writes veteran security expert Graham Cluley in a post on BitDefender's HotForSecurity blog. "There aren’t many people who are comfortable admitting that they have confidence issues with their physical appearance. And, for that reason, you would hope that cosmetic surgeries keep a close guard of the personal data of their clients and potential customers," he added.

"Such information could be used not just to embarrass an individual, but also – potentially – to extort money from them. Furthermore, the private information could be sold to tabloid newspapers or entertainment websites which are scrabbling for some showbiz tittle tattle to fill their pages," he added.

Cluley praised Harley Medical Group for coming clean while faulting it for evidently inadequate security that allowed criminal hackers to riffle through its systems in the first place. "Everyone will be disappointed to hear that the private information of thousands of people has been exposed by the company’s sloppy security. Any organisations storing sensitive information have a duty to properly defend it with layered security, properly hardened websites and strong tough-to-crack encryption." ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.