This article is more than 1 year old

Plastic surgery patients face extortion in wake of clinic data breach

Nip/tuck hack

Thousands of private photos have been leaked by cybercriminals following the hack of a Lithuanian cosmetic surgery clinic.

A hacking group, using the nickname "Tsar Team", leaked images it claims came from the Grozio Chirurgija clinic servers. The group spaffed the data after targeted health facility's customers failed to meet extortionate payment demands.

According to police, a portion of a stolen customer database was released in March prior to the release of sensitive photos including nude images of patients on Tuesday.

Local police say dozens of patients have come forward to report getting blackmailed. "It’s extortion. We’re talking about a serious crime," the deputy chief of Lithuania’s criminal police bureau Andzejus Raginskis told The Guardian.

Cybercriminals were demanding ransom payments of between €50 ($55, £44) and €2,000 ($2,236, £1,747), payable in Bitcoin, with higher fees demanded depending on the sensitivity of compromised data. Nude photos, passport scans and national insurance numbers were among the items that bumped up fees.

The hackers switched to targeting individuals after failing to get the clinic itself to cave in to a demand to hand over 300 bitcoin ($661K or £517/€591K at current prices), later reduced to 50 Bitcoin ($110K. £86k). The clinic refused to cave, sensibly, since even if it paid there'd be little to stop the hackers retaining a copies of the compromised data and coming back for further payments.

More than 1,500 British patients feature on the clinic's database, The Guardian adds. It's unclear what percentage of those people (if any) have been targeted.

Jonas Staikunas, the director of Grozio Chirurgija, apologised to its customers and told local media: "Cybercriminals are blackmailers. They are blackmailing our clients with inappropriate text messages."

Affected patients are being advised to not to act on extortionate demands, which the clinic said ought to be forwarded to the police. It also urged its customers to be wary of possible malware and phishing scams in a notice to its website that also explains who is dealing with the case (extract from Google translation of the original Lithuanian below).

Clinic "Beauty Surgery", in cooperation with the police department, the National Electronic Communications Networks and Information Security Emergency Response Unit (CERT) and other responsible authorities, aims to prevent the unauthorised processing of personal data, which posted a long time the company and its patients blackmailed cyber criminals distribution.



Tsar Team is one of the many noms de guerre of APT28, the group of Russian hackers blamed for hacks on the Democratic National Committee last year and much more. APT28 (aka Fancy Bear) has elsewhere been linked to Russian military intelligence, GRU.

El Reg's security/intel desk considers it's most likely that a group of chancers have appropriated the Tsar Team moniker in an attempt to intimidate prospective marks. The possibility that this is a money making side project can't be completely discounted though. According to some, APT28 has worked with a few "temp staffers" including former criminal hackers at times.

More about


Send us news

Other stories you might like