Hackers blackmail Belgian bank Elantis over unencrypted customer data

[InfoSec News <alerts () infosecnews org>]

http://news.techworld.com/security/3355659/hackers-blackmail-belgian-bank-elantis-over-unencrypted-customer-data/

By Loek Essers
Techworld
03 May 2012

Hackers claimed to have breached the systems of the Belgian credit 
provider Elantis and threatened to publish confidential customer 
information if the bank does not pay €150,000 (£122,000) before Friday, 
May 4, they said in a statement posted to Pastebin. Elantis confirmed 
the data breach on Thursday, but the bank said it will not give in to 
extortion threats.

The hackers claim to have captured login credentials and tables with 
online loan applications which hold data such as full names, job 
descriptions, contact information, ID card numbers and income figures. 
They demanded a payment of "the equivalent of roughly €150,000", with 
which Elantis could prevent the publication of confidential customer 
information, they said in a Pastebin post published on Tuesday. 
According to the hackers the data was stored unprotected and unencrypted 
on the servers. To prove the hack, parts of what they claimed to be 
captured customer data were published.

"While this could be called 'blackmail,' we prefer to think of it as an 
'idiot tax' for leaving confidential data unprotected on a Web server," 
they said.

The hackers contacted the bank via email last Friday, said Moniek 
Delvou, spokeswoman for Belfius Bank (formerly known as Dexia), Elantis' 
parent company. "We assume they possibly captured the data of 3,700 
customers," Delvou said, adding that the compromised data could belong 
to existing and potential customers. Elantis customers were informed of 
the data breach, according to Delvou.

[...]

_______________________________________________
LayerOne Security Conference
May 26-27, Clarion Hotel, Anaheim, CA
http://www.layerone.org