14 DAY TRIAL // A group of unnamed hackers have released a statement claiming that they’ve managed to gain unauthorized access to the servers of Elantis, a company owned by Dexia, a Belgian-French financial institution. The cybercriminals demand that the bank pay them 150,000 EUR ($196,000) before May 4, or they will make the customer data they obtained public.
“In addition to database tables containing data such as internal login credentials, we downloaded numerous tables which contain Internet loan applications, as well as fully-processed applications. Those tables hold highly-sensitive data such as the applicants' full names, their jobs, ID card numbers, contact information and details about their income,” the hackers said.
The hackers claim that this is not blackmail. Instead, the bank has to pay what they call an “idiot tax” for leaving sensitive data unprotected on a web server.
“The only question that remains now is this -- After they carelessly treated their clients' data, will Dexia act to prevent their clients' data from being published online, or is their clients' confidentiality worth less to them than EUR 150,000?” they explained.
To prove that they’re serious, the hackers have published sample data from Elantis’ database, including user login details, customer complaints, and client information.
Also, in their statement, the cybercriminals highlight the fact that Elantis took down its public-facing website after the breach took place. This seems to be accurate since at press time, the site of Elantis was offline.
According to Finextra, the affected company’s representatives stated that they would not give in to blackmail. The authorities have been informed of the incident.
The clock is ticking and May 4 is almost here, so by Friday we’ll find out if the hackers are serious, or if law enforcement representatives manage to make a move before them. We’ll return with more details as soon as they become available.
Update. Jeff Hudson, CEO of Venafi, a security management provider, provided some interesting insight regarding the importance of encryption:
In real estate, it’s all about location, location, location. In information security, it’s all about encryption, encryption, encryption. This is a clear cut case where a prime piece of IT real estate, the database, should have encrypted all sensitive and customer information.
All too often, organizations have failed to place strong controls and policies around protecting customer information. There are simply no longer any excuses for this, especially when it comes to leveraging encryption.
Automated solutions make it easy and cost-effective to deploy and manage these critical security instruments across even the most complex global networks. Elantis and every other bank in the world should learn from this and take immediate action to encrypt sensitive customer data at the source.