Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Crime Security The Almighty Buck

After Demanding $3 Million Ransom, Hacker Dumps Massive Customer Financial Data (dailydot.com) 124

Patrick O'Neill writes: Just over week after a hacker breached a United Arab Emirates Bank, demanding a $3 million ransom to stop tweeting customers' information, he appears to have dumped tens of thousands of customer files online. The actual data appears to be real. And it's vast. One database analyzed by the Daily Dot includes the sensitive information of around 40,000 customers, including their full names, credit card numbers, and birthdays. One account contained 4,7174,962.38 dirham, or $12,844,589.77. Those accounts' total earnings add up to $110,736,002. One bank executive confirmed the hack to Farooqui, adding that, "This is blackmail."
This discussion has been archived. No new comments can be posted.

After Demanding $3 Million Ransom, Hacker Dumps Massive Customer Financial Data

Comments Filter:
  • Um, yeah ... (Score:5, Insightful)

    by gstoddart ( 321705 ) on Thursday December 03, 2015 @10:42AM (#51049677) Homepage

    "This is blackmail."

    Yes, that's exactly what it is.

    What do you think holding something for ransom is?

    • by hawguy ( 1600213 )

      "This is blackmail."

      Yes, that's exactly what it is.

      What do you think holding something for ransom is?

      Well no, at its core, it's just inadequate security practices by the bank.

    • Re:Um, yeah ... (Score:5, Insightful)

      by AmiMoJo ( 196126 ) on Thursday December 03, 2015 @11:08AM (#51049929) Homepage Journal

      They shouldn't pay it anyway. All they have is this guy's word that he won't release any (more) data. Maybe they pay him and he sells the data on to someone else, who then demands their $3m ransom too. No matter what happens they will have to treat it as if the information is public now.

      As well as losses due to theft, it will be interesting to see if there are any financial penalties from their regulator or if anyone manages to sue them. For one the people being screwed can afford good lawyers.

      • They shouldn't pay it anyway. All they have is this guy's word that he won't release any (more) data

        Isn't this kind of an intrinsic thing with blackmail and extortion?

        Yes, the guy shaking you down for money may not be honest and give you what he promised once you pay the money. Nobody ever said blackmail was done by honest, law abiding citizens.

        I mean, I don't disagree with you. But I'm pretty sure in any such situation you have no real way of knowing the bad guys will play fair.

        • by AmiMoJo ( 196126 )

          It reminds me of old blackmail movies where they demand the negatives, as if you can't fairly easily make copies of negatives or just keep some prints.

          • by TWX ( 665546 )
            At least duplicating negatives required equipment that most people neither had ready personal access to nor had training on, so if the blackmail content of the negatives was very sensitive then paying a photolab to duplicate the negatives properly could lead to exposing the blackmailer to extra risk.

            Modern digital content doesn't usually require any special equipment or training, and even your average neophyte could do it.
            • But making up a couple of dozen of prints to keep before you hand over the negatives would be easy. Granted, you couldn't make more after the negatives were out of your hands without a great deal of trouble, but you'd have those prints.

              • by TWX ( 665546 )
                You're still probably dependent on the photo lab to make the prints though. I've developed negatives and developed prints from negatives, it's a smelly, messy task that is beyond most people. One would have to be on the level of Charles Augustus Milverton to pursue hobbies or crafts specifically for their ability to be used for blackmail, and would have to blackmail in such quantity as to make a living from it in order to justify all of the security and other headaches associated with such a limited lifes
                • I've developed negatives and developed prints from negatives, it's a smelly, messy task that is beyond most people.

                  You know, I went to children's photography club as a kid, and I can't recall any of us having any trouble developing our photos. It's just a projector followed by two chemical bathes with rinsing with water between. Anyone who can use tweezers shouldn't have any problems.

                  • Black and white is well within the reach of even a casual hobbyist, although it's "anyone who can use tweezers and has access to a darkroom." Color tends to be rather more complicated; developing Kodachrome was strictly a job for professionals.

                • I've developed negatives [a] task that is beyond most people.

                  I was doing it at age 12 in mum's laundry, with good results, bought the equipment and supplies with pocket money.

          • My favorite is the floppy disk or thumb drive version. So easy to copy that there's no reason there wouldn't be duplicates everywhere.

          • Even in the days of negatives it was relatively easy to doctor photos. If a photo were to make it into the public one could say "That photo isn't real. It has been doctored." The party releasing the photo could say "No it hasn't. Here are the negatives." As any tampering with the negatives would be plainly evident. If the party couldn't produce the negatives the photo would be suspect - especially in a court of law. Where the law ins concerned, courts have always treated photographic evidence with mu

            • by Anonymous Coward

              As any tampering with the negatives would be plainly evident. If the party couldn't produce the negatives the photo would be suspect - especially in a court of law.

              Well, how about photographing a doctored print? Then you have negatives that have not been altered of an image that has.

            • by AmiMoJo ( 196126 )

              Sure, but negatives are not hard to duplicate.

        • by Lumpy ( 12016 )

          These same people think making guns illegal will remove them from criminals hands.

      • by ranton ( 36917 )

        They shouldn't pay it anyway. All they have is this guy's word that he won't release any (more) data. Maybe they pay him and he sells the data on to someone else, who then demands their $3m ransom too.

        That is why the ransom seekers should be asking for monthly installments. This way both sides have a vested interest in keeping the status quo.

    • Blackmail is such an ugly word. We prefer "fish paste".

    • Re:Um, yeah ... (Score:4, Interesting)

      by Wycliffe ( 116160 ) on Thursday December 03, 2015 @12:57PM (#51051035) Homepage

      "This is blackmail."

      Yes, that's exactly what it is.

      What do you think holding something for ransom is?

      Holding "something" for ransom isn't blackmail if that something is tangible. Even holding "information" for ransom isn't blackmail. If I have the password and won't give it to you until you give me $1M that's still not blackmail. Blackmail is when you threaten to release information for a ransom. The biggest problem with blackmail (as opposed to holding a password or something tangible for ransom) is that once the other party has that information, giving them the money really doesn't resolve the situation as they can still release it at any time in the future and/or demand more money to maintain status quo. Promises to delete the data, give you the only copy, etc... are hard to enforce or verify.

      • In particular, the common usage of the word "blackmail" refers to threatening to release information about the person or something that the person has done because the information is meaningful in of itself and potentially harmful to their reputation. While you certainly don't want everyone to know your credit card number, since they could use it to harm you financially, the fact that your credit card number is 1234-5678-1234-5678 doesn't really mean anything.
    • by rtb61 ( 674572 )

      There is a slight difference between blackmail and extortion. Technically threatening to expose actual account holders who have been say, taking bribes or cheating on taxes, unless they paid would be blackmail but threatening the Bank is more extortion. Of course for criminal investigators it all now is legal evidence, who knows what shenanigans have no been exposed.

    • "This is blackmail."

      Yes, that's exactly what it is.

      What do you think holding something for ransom is?

      Extortion, blackmail implies the bank did something that they don't want others to know about.

  • by Anonymous Coward on Thursday December 03, 2015 @10:46AM (#51049715)

    One bank executive confirmed the hack to Farooqui, adding that, "This is blackmail."

    Dude, it was blackmail. This is a shitstorm.

  • Just in time for a holiday shopping spree, paid for by ISIS!

  • One bank executive confirmed the hack to Farooqui, adding that, "This is blackmail."

    No shit, Sherlock!

    This bank executive's a real genius; I never would have guessed that this is blackmail. /s

    • The operative phrase here is "bank executive". You literally don't have to know ANYTHING to be an executive. That is what your staff is for.
  • Income inequality (Score:5, Informative)

    by Theaetetus ( 590071 ) <theaetetus DOT slashdot AT gmail DOT com> on Thursday December 03, 2015 @11:21AM (#51050059) Homepage Journal
    Complete aside, but...

    One database analyzed by the Daily Dot includes the sensitive information of around 40,000 customers, including their full names, credit card numbers, and birthdays. One account contained 4,7174,962.38 dirham, or $12,844,589.77. Those accounts' total earnings add up to $110,736,002.

    $110.7 million over 40,000 accounts is an average of $2,767.5 per account. That one guy with $12 million has over 4600 times the average.

    • by TheDarkMaster ( 1292526 ) on Thursday December 03, 2015 @11:36AM (#51050169)
      Well... The "1% owns everything" is not the usual bullshit or conspiracy theory, is very real.
      • I have a huge amount of cash savings but only a couple grand in a deposit account. Really, only a business or a dummy would have a large deposit.
    • I think you might be incorrect... You are comparing one account's BALANCE to the average EARNINGS (interest paid) of the others. There is no mention of the cumulative balance of the other 40,000 accounts. I also admit that the author may have thought the terms were interchangeable - but they are not.
  • by NostalgiaForInfinity ( 4001831 ) on Thursday December 03, 2015 @11:48AM (#51050307)

    One bank executive confirmed the hack to Farooqui, adding that, "This is blackmail."

    Yes, it is. But it is also something else, something much more important: lousy security, utter disregard for their customers, and negligence on the part of the United Arab Emirates Bank.

    When a bank loses customer data on this scale, the bank is the crook and the victim is the customer. Trying to portray the bank as the victim (of blackmail) adds insult to injury.

  • Does knowing birthdays, names, addresses, SSN's prove that a person *is* the person with that name, birthday and SSN?

    Not anymore! All that information has been stolen so many times.

    So any lender, or banker, who gives out money (loan or otherwise) to a person based solely on birthday, name, address and SSN has NOT done due diligence, and the bank should have FULL liability for any theft that occurs, NOT the poor unfortunate that rightfully owns the identity.

    We badly need to reform this system that uses such weak proofs of identity as "knowing' something. And we badly need to start blaming lenders/bankers for fraud that occurs because they are too stupid to realize that the data I mentioned isn't proof of identity.

    --PM

  • I was thinking about ways the bank could have mitigated the effects of the attack. Would it be worth releasing piles and piles of false identities? Generate so much noise that anyone who'd want to use the data would have no way to separate the wheat from the chaff.

    • How about current customers are given alternate methods to connect. Anyone using the released information from an IP address not previously used is forwarded to that infamous goat-site, and their IP address recorded. If that IP address can later be linked to an identity (i.e. e-mail) that person is auto-subscribed to an array of camel-porn mailing lists (unless they're already on them, in which case they're unsubscribed). Not perfect, but it might have some effect.

  • It's called "speculative invoicing".
  • Wonder if it will cost them more than $3 million to deal with the fallout from the breach of 40K customers. Perhaps it would have been cheaper to pay the ransom.

No spitting on the Bus! Thank you, The Mgt.

Working...