Industry News

Hackers attempt to blackmail cosmetic surgery firm, after stealing up to 500,000 patients’ records

The personal details of nearly half a million people, considering cosmetic surgery, may have been accessed by hackers who then attempted to blackmail a leading chain of clinics.

The online criminals struck last month, breaking into servers belonging to the Harley Medical Group, which has 21 clinics across the United Kingdom.

According to the company, the information stolen was extracted from its website enquiry form, meaning that the hackers could have accessed some 480,000 records containing potential clients’ names, addresses, dates of birth, email addresses and telephone numbers, as well as details of the particular type of cosmetic procedure they were interested in.

Harley Medical Group said in a statement to customers affected that it had no reason to believe that further clinical or financial information was accessed, and that it had informed the police and the UK’s Information Commissioner’s Office (ICO) about the data breach.

We acted immediately when we became aware that an individual had deliberately bypassed our website security, gaining access to contact information from initial inquiries, in an attempt to extort money from the company.

The police and the Information Commissioner were notified and we contacted everyone whose inquiry may have been accessed to apologise and to reassure them that all clinical and financial records remain totally secure.

We have taken action to further strengthen the security around website inquiries.

Details on precisely how the hackers managed to access what should have been private, safely secured, information has not been made public, but one thing is clear: the motivation for this attack was financial.

If you’re considering having a tummy tuck, a breast enlargement or some other form of cosmetic surgery, chances are that you want to keep the treatment private.

There aren’t many people who are comfortable admitting that they have confidence issues with their physical appearance. And, for that reason, you would hope that cosmetic surgeries keep a close guard of the personal data of their clients and potential customers.

And chances are that the people who are considering having cosmetic surgery are well-heeled with plump wallets. Some may even work in the entertainment industry, and be nervous about the great unwashed public knowing that they have had their nose fixed or a boob job.

Such information could be used not just to embarrass an individual, but also – potentially – to extort money from them. Furthermore, the private information could be sold to tabloid newspapers or entertainment websites which are scrabbling for some showbiz tittle tattle to fill their pages.

It’s good that Harley Medical Group contacted the police, informed the ICO, and contacted those people whose data may have been compromised.

However, everyone will be disappointed to hear that the private information of thousands of people has been exposed by the company’s sloppy security.

Any organisations storing sensitive information have a duty to properly defend it with layered security, properly hardened websites and strong tough-to-crack encryption.

If firms don’t take steps to properly protect their customers’ information they shouldn’t be surprised if they take their custom elsewhere.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.