Cybercrooks attempted to extort a chain of cosmetic surgeons after hacking into its systems and stealing an estimated 480,000 files stuffed with info about prospective nip-'n'-tuck customers.
Computer systems at Harley Medical Group, which has 21 clinics across the UK, were pillaged to loot personal details from nearly half a million records referring to people considering plastic surgery. The attack last month was followed by an attempt by hackers to extort blackmail money from the clinic under the threat that sensitive personal information would be released otherwise.
Harley Medical Group did not cave into the demands. A spokesman for the clinic told El Reg that the "perpetrator" compromised its systems after exploiting flaws in its website inquiry form. All sorts of personal information including potential clients’ names, addresses, dates of birth, contact details as well as details information about the type of cosmetic procedure they were inquiring about was exposed as a result of the breach.
Both West Midlands police and data privacy watchdogs at the UK’s Information Commissioner’s Office have been informed about the breach. Harley Medical Group said that neither detailed clinical information nor financial information was exposed as a result of the breach. The spokesman said patient and financial records are held on a separate system, which was unaffected by the incident.
He added that 480,000 records were affected but since prospective clients regular make multiple inquiries about various treatments the actual number of people whose private details have been exposed will be less than this.
The clinic began notifying customers and potential clients about the incident two weeks ago, we're told, but news of the incident only broke on Tuesday.
The news and blog portions of the clinic's site returned a page 404 error on Wednesday lunchtime.
Its Facebook page is still available – if a little, ahem, tight-lipped about the breach. However a series of updates from the official Harley Medical Group Twitter feed do shed further light on the incident.
@billyonairr Hi, we apologise initial enquiries were accessed illegally and have taken steps to ensure this will not happen in the future.— Harley Medical Group (@harleymedical) April 15, 2014
It added later:
"If you’re considering having a tummy tuck, a breast enlargement or some other form of cosmetic surgery, chances are that you want to keep the treatment private," writes veteran security expert Graham Cluley in a post on BitDefender's HotForSecurity blog. "There aren’t many people who are comfortable admitting that they have confidence issues with their physical appearance. And, for that reason, you would hope that cosmetic surgeries keep a close guard of the personal data of their clients and potential customers," he added.
"Such information could be used not just to embarrass an individual, but also – potentially – to extort money from them. Furthermore, the private information could be sold to tabloid newspapers or entertainment websites which are scrabbling for some showbiz tittle tattle to fill their pages," he added.
Cluley praised Harley Medical Group for coming clean while faulting it for evidently inadequate security that allowed criminal hackers to riffle through its systems in the first place. "Everyone will be disappointed to hear that the private information of thousands of people has been exposed by the company’s sloppy security. Any organisations storing sensitive information have a duty to properly defend it with layered security, properly hardened websites and strong tough-to-crack encryption." ®