So there’s this:
We copied a table from the server’s database that contains the names, DOB, email addresses and phones numbers of 580 loan applicants, along with the amounts of requested loans and the intended purposes of those loans.
We have offered Buy Way not to publish this data on this Internet, for a small fee of course. This fee is EUR 20,000 (Twenty thousand Euros).
So far, we have unfortunately not heard back from the people over at Buy Way. They have until this Saturday morning to pay us. In case they do not do so, we will publish the data in our possession on the Internet, as we have done in the past.
…and it’s clearly extortion, and is so far past the point of “this is a bad and illegal thing” that there is no defence for it.
But I offer it as (let’s assume it’s real for the moment) evidence that this sort of thing goes on.
Because a year ago I was at a UK “cybersecurity” round-table with lots of UK BIS people, and one of the attendees – representing somewhere I forget – sweetly came out with a quote along the lines of:
One way that we could improve cybersecurity is to make reporting of intrusions mandatory and levy heavy fines against any CEO who fails to report intrusions, thereby to raise awareness and to guarantee sharing of information of ongoing security incidents, so that we can address them all more rapidly and collectively.
I immediately burst out laughing – sorry, that happens occasionally. People looked at me quizzically, and I explained:
Excellent! Imagine that I am an SME and I want to destroy my competition. I pay a bunch of Ukranians to exfiltrate all my competitors’ data, steal all their customers, and then snitch on them to the Government for failing to disclose and let the Information Commissioner and the Tabloids deliver the coup-de-grace.
It seems that the people who are tasked to set cybersecurity policy are both unfamiliar with the law of unintended consequences, and unfamiliar with thinking “outside the box”.
I find this worrisome.