A chain of cosmetic surgery clinics in Lithuania has been hacked, and fallen victim to cold-hearted extortionists who have no qualms about blackmailing both the business and its customers.
According to media reports, a hacking group called the Tsar Team broke into the servers of Grožio Chirurgija and stole the personal data and more than 25,000 private photos of clients.
At first the Tsar Team attempted to sell the stolen data back to the clinic, for the eye-watering sum of 300 bitcoins (about half a million dollars). But when the clinic refused to play ball, the hackers targeted patients – demanding payments of up to 2000 Euros for the victim’s photos, home addresses, scans of passports and national insurance numbers.
The Grožio Chirurgija cosmetic surgery clinics has thousands of customers in more than 60 countries around the world, including the UK, Germany, and Denmark, who travel to Lithuania for nips and tucks on the cheap.
Clients are thought to include celebrities, who might have particular interest in their details and private photos not leaking onto the internet.
Even the most selfie-obsessed individual would probably balk at the thought of private photographs of their wobbly or intimate body parts taken before and after surgery falling into the hands of the public.
The full database is now being offered for a 50 bitcoin, a measly $112,000 at current rates, which is quite a reduction from the hackers’ initial demands.
Andzejus Raginskis of Lithuania’s police bureau told reporters that the data had been uploaded to the dark web:
“It’s extortion. We’re talking about a serious crime.”
On its website, the hacked chain of clinics says that it is working closely with the police, and is urging customers to take precautions.
Those precautions include telling clients to be wary of opening emails or clicking on links which may have been sent by the blackmailers, and to pass any communications (including SMS text messages they may receive) to the authorities.
Grožio Chirurgija is also advising concerned customers that if they find a link to their private data online, to request its removal from the Google search engine as soon as possible.
All of which seems like sensible advice to me, but I was disappointed to see it only offered on the Lithuanian version of the surgery’s website and not on its (probably more widely understood) English language edition.
The cosmetic surgery says that it is strengthening its IT security in the wake of the attack. But for those innocent patients whose privacy has been put at risk, it really is a case of too little, too late.