Hackers hold bank to ransom over stolen data

Hackers hold bank to ransom over stolen data

Summary: In an unusual move, a group of hackers has attempted to blackmail a Belgian bank for €150,000 over client data lifted from a compromised server

SHARE:
TOPICS: Security
2

A group of hackers has attempted to extort €150,000 from Belgian bank Belfius by blackmailing the bank over hacked data.

The hackers said in an online ransom note that if they were not paid by Friday, they would release the data of customers of Elantis, taken from a compromised server. Elantis is a mortgage and consumer credit company owned by Belfius.

"While this could be called 'blackmail', we prefer to think of it as an 'idiot tax' for leaving confidential data unprotected on a web server," said the ransom demand.

The hackers claimed to have accessed database tables containing unencrypted and unprotected data from loan applications such as applicants' full names, jobs, ID card numbers, contact information and details about their income.

Belfius told ZDNet UK on Friday that it had informed the Federal Computer Crime Unit in Brussels and local police in Liege of the extortion attempt. Up to 3,700 customers and brokers may have been affected, and they have been informed of the probable breach, said the bank.

"We say this is blackmail," Belfius spokeswoman Moniek Delvou said on Friday. "The ransom has to be paid today... We will not pay."

The hackers sent Elantis an email last Friday demanding the money, saying that they had got hold of details of Elantis brokers and customers. Elantis reacted by immediately shutting down its servers, said Delvou.

The data that was likely to have been stolen consisted of online mortgage and credit application quotes, said Belfius.

Belgian police have launched an investigation, and Belfius has engaged a US security company to conduct an internal enquiry. Delvou said the bank could not comment on how the hackers had managed to break in.

While this could be called 'blackmail,' we prefer to think of it as an 'idiot tax' for leaving confidential data unprotected on a web server.

– Ransom demand

The bank said that as the Elantis and Belfius servers were separate, Belfius customers were in "no danger". "Elantis is the [company] that has been hacked," said Delvou. "There is no link between the servers of Elantis and Belfius." The bank said that it would deal with the situation should the hackers post the information.

"Are they going to post the data or not? We don't know for the moment," said Delvou.

A spokeswoman for the UK Metropolitan Police told ZDNet UK that to the knowledge of the Police Central e-Crime Unit, no UK banks had ever been held to ransom over stolen data.

UK financial services trade body the Payments Council said that should any financial services receive extortion demands, they should go the police.

"If ever such a scenario were to happen in the UK, the correct route would be for the organisation to contact the police, as this would be viewed as a criminal matter," said a Payments Council spokesman. "Therefore the organisation best placed to deal with such a thing would be the Police Central e-crime Unit (PCeU), which is run by the Metropolitan Police."


Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • Have there been any further updates to this story? I can't find any information on whether the hackers released the data or not.
    KosGirl
  • Hello KosGirl,

    Good question. I've asked Belfius for a response. The latest post I can find on Pastebin about it is here: http://pastebin.com/E8ADVeHG

    Thanks for the comment.
    Tom Espiner