DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Hackers demand EUR150K ‘idiot tax’ from Dexia in return for stolen customer data

Posted on May 2, 2012 by Dissent

A group claiming to have hacked a Dexia Bank subsidiary’s database is threatening to post sensitive customer information unless it receives an “idiot tax” of EUR150,000 by Friday.

In a pastebin statement addressed to the media, the unnamed group says it has “downloaded extensive confidential customer information” from servers belonging to Elantis, a mortgage and consumer credit unit of Belgium-based Dexia.

The data – a sample of which has been posted in the message – apparently includes loan applications featuring full names, job descriptions, ID card numbers, contact information and income details.

Read more on Finextra.

The full media statement follows:

Dear members of the media,

Last week, our group downloaded extensive confidential customer information from Elantis’ servers. Elantis is a money lending company which belongs to renowned Belgian bank, Dexia (Do not bother trying to
reach their website, they disconnected their server after we hacked into it).

In addition to database tables containing data such as internal login credentials, we downloaded numerous tables which contain Internet loan applications, as well as fully-processed applications. Those tables hold highly-sensitive data such as the applicants’ full names, their jobs, ID card numbers, contact information and details about their income.

It is worth pointing out that this data was left unprotected and unencrypted on Elantis’ servers.

We contacted Dexia over the weekend to offer them not to publicly release this data over the Internet if they agreed to pay us the equivalent of roughly EUR 150,000 before Friday, May 4th. So far they have declined to do so.

While this could be called ‘blackmail,’ we prefer to think of it as an ‘idiot tax’ for leaving confidential data unprotected on a Web server.

The only question that remains now is this — After they carelessly treated their clients’ data, will Dexia act to prevent their clients’ data from being published online, or is their clients’ confidentiality worth
less to them than EUR 150,000?

Time is running out.

The hackers involved did not identify themselves or point to any Twitter accounts.

Update: Loek Essers of IDG obtained some additional details on the breach. The bank says it will not pay blackmail, which is just as well as it seems the hackers didn’t give them any instructions as to how they were supposed to make the payment. It may well be that the hackers’ threat was just to call more attention to the bank’s lack of security for their data, but just making the threat could add years to any sentence if/when the hackers are caught.

Related posts:

  • Who is on TEKsystems Intel Leak
  • Commentary: Repeated insider breaches at TD Bank should trigger federal regulator investigation (update 1)
  • Operation Anti Security Breakdown and targets, the full time line
Category: Breach IncidentsFinancial SectorHackNon-U.S.

Post navigation

← Global Payments breach went on for at least 8 months – revised estimate
FL: DCF warns child care workers of possible computer security breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Breaches have consequences (sometimes)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit
  • British national “IntelBroker” charged with causing $25 million in damages; U.S. seeks his extradition from France
  • France issues press statement about arrest of ShinyHunters members
  • Patients Allege Home Delivery Pharmacy Failed to Timely Notify Them of Data Breach
  • Hackers breach Norwegian dam, open valve at full capacity
  • Patient death at London hospital linked to cyber attack on NHS
  • ShinyHunters and team members arrested in France (2)
  • Texas Enacts Liability Shield From Punitive Damages for Certain Small Businesses That Adopt Cybersecurity Programs
  • Dublin ETB fined €125,000 for data protection breaches

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How Internet of Things devices affect your privacy – even when they’re not yours
  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule
  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.