DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Hackers demand EUR150K ‘idiot tax’ from Dexia in return for stolen customer data

Posted on May 2, 2012 by Dissent

A group claiming to have hacked a Dexia Bank subsidiary’s database is threatening to post sensitive customer information unless it receives an “idiot tax” of EUR150,000 by Friday.

In a pastebin statement addressed to the media, the unnamed group says it has “downloaded extensive confidential customer information” from servers belonging to Elantis, a mortgage and consumer credit unit of Belgium-based Dexia.

The data – a sample of which has been posted in the message – apparently includes loan applications featuring full names, job descriptions, ID card numbers, contact information and income details.

Read more on Finextra.

The full media statement follows:

Dear members of the media,

Last week, our group downloaded extensive confidential customer information from Elantis’ servers. Elantis is a money lending company which belongs to renowned Belgian bank, Dexia (Do not bother trying to
reach their website, they disconnected their server after we hacked into it).

In addition to database tables containing data such as internal login credentials, we downloaded numerous tables which contain Internet loan applications, as well as fully-processed applications. Those tables hold highly-sensitive data such as the applicants’ full names, their jobs, ID card numbers, contact information and details about their income.

It is worth pointing out that this data was left unprotected and unencrypted on Elantis’ servers.

We contacted Dexia over the weekend to offer them not to publicly release this data over the Internet if they agreed to pay us the equivalent of roughly EUR 150,000 before Friday, May 4th. So far they have declined to do so.

While this could be called ‘blackmail,’ we prefer to think of it as an ‘idiot tax’ for leaving confidential data unprotected on a Web server.

The only question that remains now is this — After they carelessly treated their clients’ data, will Dexia act to prevent their clients’ data from being published online, or is their clients’ confidentiality worth
less to them than EUR 150,000?

Time is running out.

The hackers involved did not identify themselves or point to any Twitter accounts.

Update: Loek Essers of IDG obtained some additional details on the breach. The bank says it will not pay blackmail, which is just as well as it seems the hackers didn’t give them any instructions as to how they were supposed to make the payment. It may well be that the hackers’ threat was just to call more attention to the bank’s lack of security for their data, but just making the threat could add years to any sentence if/when the hackers are caught.

Category: Breach IncidentsFinancial SectorHackNon-U.S.

Post navigation

← Global Payments breach went on for at least 8 months – revised estimate
FL: DCF warns child care workers of possible computer security breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Texas gastroenterology and surgical practice victim of ransomware attack
  • Romanian Citizen Pleads Guilty to ‘Swatting’ Numerous Members of Congress, Churches, and Former U.S. President
  • North Dakota Enacts Financial Data Security and Data Breach Notification Requirements
  • Pro-Ukraine hacker group Black Owl poses ‘major threat’ to Russia, Kaspersky says
  • Vanta bug exposed customers’ data to other customers
  • Lyrix Ransomware Targets Windows Users with Advanced Evasion Techniques
  • Central Maine Healthcare tackles suspected cybersecurity issue; hospitals remain open
  • Cartier Data Breach: Luxury Retailer Warns Customers that Personal Data Was Exposed
  • Beyond the Pond Phish: Unraveling Lazarus Group’s Evolving Tactics
  • Akira doesn’t keep its promises to victims — SuspectFile

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Supreme Court Agrees to Clarify Emergency Situations Where Police Don’t Need Warrant
  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.