After Demanding $3 Million Ransom, Hacker Dumps Massive Customer Financial Data

Patrick O'Neill writes: Just over week after a hacker breached a United Arab Emirates Bank, demanding a $3 million ransom to stop tweeting customers' information, he appears to have dumped tens of thousands of customer files online. The actual data appears to be real. And it's vast. One database analyzed by the Daily Dot includes the sensitive information of around 40,000 customers, including their full names, credit card numbers, and birthdays. One account contained 4,7174,962.38 dirham, or $12,844,589.77. Those accounts' total earnings add up to $110,736,002. One bank executive confirmed the hack to Farooqui, adding that, "This is blackmail."

Um, yeah ...

[gstoddart]

"This is blackmail."

Yes, that's exactly what it is.

What do you think holding something for ransom is?

Re:

[Anonymous Coward]

The balance line? That was a specific balance in one of the accounts, not the ransom requested.

Re:

[Impy the Impiuos Imp]

> After Demanding $3 Million Ransom, Hacker Dumps Massive

Peter Griffen: "Ooooh?"

> Customer Financial Data

Peter Griffen: "Awwww..."

Re:

[gstoddart]

I'm just wondering how they came up with the "4,7174,962.38" figure...

Ummm ... straight off the account information which was leaked?

If it was dollars instead of dirham, would you be asking the same question?

I assume the "0.38" is the equivalent of "cents".

Re:

[hawguy]

"This is blackmail."

Yes, that's exactly what it is.

What do you think holding something for ransom is?

Well no, at its core, it's just inadequate security practices by the bank.

Re:Um, yeah ...

[AmiMoJo]

They shouldn't pay it anyway. All they have is this guy's word that he won't release any (more) data. Maybe they pay him and he sells the data on to someone else, who then demands their $3m ransom too. No matter what happens they will have to treat it as if the information is public now.

As well as losses due to theft, it will be interesting to see if there are any financial penalties from their regulator or if anyone manages to sue them. For one the people being screwed can afford good lawyers.

Re:

[gstoddart]

They shouldn't pay it anyway. All they have is this guy's word that he won't release any (more) data

Isn't this kind of an intrinsic thing with blackmail and extortion?

Yes, the guy shaking you down for money may not be honest and give you what he promised once you pay the money. Nobody ever said blackmail was done by honest, law abiding citizens.

I mean, I don't disagree with you. But I'm pretty sure in any such situation you have no real way of knowing the bad guys will play fair.

Re:

[AmiMoJo]

It reminds me of old blackmail movies where they demand the negatives, as if you can't fairly easily make copies of negatives or just keep some prints.

Re:

[TWX]

At least duplicating negatives required equipment that most people neither had ready personal access to nor had training on, so if the blackmail content of the negatives was very sensitive then paying a photolab to duplicate the negatives properly could lead to exposing the blackmailer to extra risk.

Modern digital content doesn't usually require any special equipment or training, and even your average neophyte could do it.

Re:

[Chris Mattern]

But making up a couple of dozen of prints to keep before you hand over the negatives would be easy. Granted, you couldn't make more after the negatives were out of your hands without a great deal of trouble, but you'd have those prints.

Re:

[TWX]

You're still probably dependent on the photo lab to make the prints though. I've developed negatives and developed prints from negatives, it's a smelly, messy task that is beyond most people. One would have to be on the level of Charles Augustus Milverton to pursue hobbies or crafts specifically for their ability to be used for blackmail, and would have to blackmail in such quantity as to make a living from it in order to justify all of the security and other headaches associated with such a limited lifes

Re:

[ultranova]

I've developed negatives and developed prints from negatives, it's a smelly, messy task that is beyond most people.

You know, I went to children's photography club as a kid, and I can't recall any of us having any trouble developing our photos. It's just a projector followed by two chemical bathes with rinsing with water between. Anyone who can use tweezers shouldn't have any problems.

Re:

[Chris Mattern]

Black and white is well within the reach of even a casual hobbyist, although it's "anyone who can use tweezers and has access to a darkroom." Color tends to be rather more complicated; developing Kodachrome was strictly a job for professionals.

Re:

[TapeCutter]

I've developed negatives [a] task that is beyond most people.

I was doing it at age 12 in mum's laundry, with good results, bought the equipment and supplies with pocket money.

Re:

[omnichad]

My favorite is the floppy disk or thumb drive version. So easy to copy that there's no reason there wouldn't be duplicates everywhere.

Re:

[Rob MacDonald]

with USB that's merely a caching thing and 99% of the time you are fine to rip it out (once the actual transfer is done). Floppies, oh boy, you can literally tear the thing apart yanking it out early. If the lights are still flashing on your usb drive, it's not done!

Re:

[Troed]

Disclaimer: I just (like in a few days ago) wrote code to directly address the Floppy Disc Controller and Direct Memory Address subsystems on a computer architecture from 1985 to read/write raw data to disk.

After having made the transfer you should take care to deselect the active drive. However, you should not deselect the drive until the motor has stopped spinning. This is best done by doing a busy wait checking the MOTOR ON flag before deselection.

The "disk access light" is on as long as the drive is sel

Re:

[ravenscar]

Even in the days of negatives it was relatively easy to doctor photos. If a photo were to make it into the public one could say "That photo isn't real. It has been doctored." The party releasing the photo could say "No it hasn't. Here are the negatives." As any tampering with the negatives would be plainly evident. If the party couldn't produce the negatives the photo would be suspect - especially in a court of law. Where the law ins concerned, courts have always treated photographic evidence with mu

Re:

[Anonymous Coward]

As any tampering with the negatives would be plainly evident. If the party couldn't produce the negatives the photo would be suspect - especially in a court of law.

Well, how about photographing a doctored print? Then you have negatives that have not been altered of an image that has.

Re:

[AmiMoJo]

Sure, but negatives are not hard to duplicate.

Re:

[ravenscar]

Fair enough. Not easy for "average person," but certainly not hard for someone motivated.

Re:

[Lumpy]

These same people think making guns illegal will remove them from criminals hands.

Re:

[ranton]

They shouldn't pay it anyway. All they have is this guy's word that he won't release any (more) data. Maybe they pay him and he sells the data on to someone else, who then demands their $3m ransom too.

That is why the ransom seekers should be asking for monthly installments. This way both sides have a vested interest in keeping the status quo.

Re:

[Chris Mattern]

Blackmail is such an ugly word. We prefer "fish paste".

Re:Um, yeah ...

[Wycliffe]

"This is blackmail."

Yes, that's exactly what it is.

What do you think holding something for ransom is?

Holding "something" for ransom isn't blackmail if that something is tangible. Even holding "information" for ransom isn't blackmail. If I have the password and won't give it to you until you give me $1M that's still not blackmail. Blackmail is when you threaten to release information for a ransom. The biggest problem with blackmail (as opposed to holding a password or something tangible for ransom) is that once the other party has that information, giving them the money really doesn't resolve the situation as they can still release it at any time in the future and/or demand more money to maintain status quo. Promises to delete the data, give you the only copy, etc... are hard to enforce or verify.

Re:

[Dragonslicer]

In particular, the common usage of the word "blackmail" refers to threatening to release information about the person or something that the person has done because the information is meaningful in of itself and potentially harmful to their reputation. While you certainly don't want everyone to know your credit card number, since they could use it to harm you financially, the fact that your credit card number is 1234-5678-1234-5678 doesn't really mean anything.

Re:

[rtb61]

There is a slight difference between blackmail and extortion. Technically threatening to expose actual account holders who have been say, taking bribes or cheating on taxes, unless they paid would be blackmail but threatening the Bank is more extortion. Of course for criminal investigators it all now is legal evidence, who knows what shenanigans have no been exposed.

Re:

[TapeCutter]

"This is blackmail."

Yes, that's exactly what it is.

What do you think holding something for ransom is?

Extortion, blackmail implies the bank did something that they don't want others to know about.

It WAS Blackmail

[Anonymous Coward]

One bank executive confirmed the hack to Farooqui, adding that, "This is blackmail."

Dude, it was blackmail. This is a shitstorm.

Re:

[Opportunist]

Presented by the "how to be racist with politically correct terms" department.

Re:

[truck_soccer]

This reverse trolling that you've been attempting is really starting to fail harder than usual. Maybe get some new material?

The problem with paying blackmail

[Geoffrey.landis]

Only a bankster is stupid enough not to spend a ratio of 3:111 to protect their business.

The problem with paying blackmail is that it doesn't ever stop.

Re:The problem with paying blackmail

[TWX]

It does if one takes the opportunity to pay the blackmailer as a means to expose them, to then murder them in a way that leaves evidence of a very prolonged and excruciating death.

I suspect that one of the reasons that people don't engage in this kind of behavior more often is that it's very, very difficult to collect ransom without subjecting one's self to grievous risk. Wealthy people also have the means to afford to get retribution against someone else if they choose to do so.

Tracking money

[phorm]

I'd especially expect that a bank might be well-versed in ways to track money, and have friends that would cooperate in making it difficult so as to reduce such blackmail overall. And given the bank in question, I'd also expect that things would go rather badly for the culprit once tracked down.

Re:

[ranton]

The problem with paying blackmail is that it doesn't ever stop.

That is where negotiations come in. Agree to pay in installments so both sides have a reason to keep up the status quo.

Re:

[painandgreed]

Only a bankster is stupid enough not to spend a ratio of 3:111 to protect their business.

The problem with paying blackmail is that it doesn't ever stop.

It does and it works if it delays the blackmailer long enough for that payer's investigators to discover who did it and send in a hit squad.

Re:

[bloodhawk]

Only a bankster is stupid enough not to spend a ratio of 3:111 to protect their business.

only an idiot thinks that ratio is correct. Once you start paying blackmail there will be an endless queue of people willing to blackmail you.

Re:

[Anonymous Coward]

The shooting in Paris was caused by climate change as proven by Obama saying that. He has more information than us, and he believes that climate change is what caused that.

Re:

[i_ate_god]

to be fair, this whole mess could actually be partly responsible on climate change.

Syria has been experiencing a severe drought, which has lead to unemployment in the agricultural industry. The mass unemployment was one of catalysts of the civil war.

Oh good!

[TFlan91]

Just in time for a holiday shopping spree, paid for by ISIS!

Blackmail

[Grishnakh]

One bank executive confirmed the hack to Farooqui, adding that, "This is blackmail."

No shit, Sherlock!

This bank executive's a real genius; I never would have guessed that this is blackmail. /s

Re:

[truck_soccer]

The operative phrase here is "bank executive". You literally don't have to know ANYTHING to be an executive. That is what your staff is for.

Re:

[Anonymous Coward]

Teehee, you said 'SJW'

You know that instantly renders your opinions as a joke, yeah?

Re:

[Falos]

Did you really just plug your ears and hum? I did wonder if that's how they handle things.

Income inequality

[Theaetetus]

Complete aside, but...

One database analyzed by the Daily Dot includes the sensitive information of around 40,000 customers, including their full names, credit card numbers, and birthdays. One account contained 4,7174,962.38 dirham, or $12,844,589.77. Those accounts' total earnings add up to $110,736,002.

$110.7 million over 40,000 accounts is an average of $2,767.5 per account. That one guy with $12 million has over 4600 times the average.

Re:Income inequality

[TheDarkMaster]

Well... The "1% owns everything" is not the usual bullshit or conspiracy theory, is very real.

Re:

[Citizen of Earth]

I have a huge amount of cash savings but only a couple grand in a deposit account. Really, only a business or a dummy would have a large deposit.

Re:

[Ragnarok89]

I think you might be incorrect... You are comparing one account's BALANCE to the average EARNINGS (interest paid) of the others. There is no mention of the cumulative balance of the other 40,000 accounts. I also admit that the author may have thought the terms were interchangeable - but they are not.

blackmail

[NostalgiaForInfinity]

One bank executive confirmed the hack to Farooqui, adding that, "This is blackmail."

Yes, it is. But it is also something else, something much more important: lousy security, utter disregard for their customers, and negligence on the part of the United Arab Emirates Bank.

When a bank loses customer data on this scale, the bank is the crook and the victim is the customer. Trying to portray the bank as the victim (of blackmail) adds insult to injury.

That sensitive information shouldn't be sensitive

[PeterM from Berkeley]

Does knowing birthdays, names, addresses, SSN's prove that a person *is* the person with that name, birthday and SSN?

Not anymore! All that information has been stolen so many times.

So any lender, or banker, who gives out money (loan or otherwise) to a person based solely on birthday, name, address and SSN has NOT done due diligence, and the bank should have FULL liability for any theft that occurs, NOT the poor unfortunate that rightfully owns the identity.

We badly need to reform this system that uses such weak proofs of identity as "knowing' something. And we badly need to start blaming lenders/bankers for fraud that occurs because they are too stupid to realize that the data I mentioned isn't proof of identity.

--PM

How to make information worthless

[hackertourist]

I was thinking about ways the bank could have mitigated the effects of the attack. Would it be worth releasing piles and piles of false identities? Generate so much noise that anyone who'd want to use the data would have no way to separate the wheat from the chaff.

Re:

[MiniMike]

How about current customers are given alternate methods to connect. Anyone using the released information from an IP address not previously used is forwarded to that infamous goat-site, and their IP address recorded. If that IP address can later be linked to an identity (i.e. e-mail) that person is auto-subscribed to an array of camel-porn mailing lists (unless they're already on them, in which case they're unsubscribed). Not perfect, but it might have some effect.

Not blackmail

[CanEHdian]

It's called "speculative invoicing".

40K customers and $3 million

[ayesnymous]

Wonder if it will cost them more than $3 million to deal with the fallout from the breach of 40K customers. Perhaps it would have been cheaper to pay the ransom.

You can't pay the ransom

[ZorinLynx]

They have the information. They can release it any time.

You might pay the ransom, then they'll demand more money a year down the line.

It sucks that the customer data got released, but paying a ransom isn't the right way to deal with this. Improve security, make it harder to breach the systems. Paying ransoms just encourages more ransoms in the future.

If the criminals know they'll never get their ransom paid, they'll stop. (and move onto other criminal endeavors I'm sure... but that's criminals for ya)