Bank refuses to pay $3,000,000 ransom, hacker exposes customer account details

BitcoinA hacker has published the account statements of hundreds of United Arab Emirates (UAE) bank customers after his $3 million ransom demand went unfulfilled.

SC Magazine reports that beginning on November 18th, an individual known only as "Hacker Buba" began tweeting offers to "Sell #sql from #database" from Invest Bank, a financial institution based in Sharjah, UAE.

The stolen data was said at the time to total 900GB in size and to include the names, credit card information, and financial details of Invest Bank customers.

The hacker stated that he would remain silent about the hack if he were to receive approximately $3 million USD worth of Bitcoin from Invest Bank.

But the bank refused to budge.

"Yes, there was a data breach and we have been contacted by Hacker Buba. He is asking for money but I cannot reveal how much. This is blackmail. We have reported the matter to UAE Central Bank. The Telecom Regulatory Authority’s Computer Emergency Response Team is investigating," the bank's chief financial and operating officer told XPRESS. "We won’t give in to any extortion threat. In any case there has been no financial loss. All that this man has is some customer information and he's trying to use it as a bargaining chip."

Determined to secure his ransom, Hacker Buba contacted XPRESS and offered five percent of the profits he would make by successfully extorting banks he allegedly held in Qatar, UAE, and elsewhere to the journalist who broke the Invest hack story.

All the reporter needed to do was to help him convince Invest Bank to pay the ransom. (How exactly the reporter would have gone about to do this is unclear.)

Xpress report

By November 23rd, Hacker Buba had not received his ransom payment, and Twitter had shut down his original handle @hacker_invest.

But this didn't stop the extortionist. He simply created another Twitter handle and began tweeting out the account statements of 500 Invest Bank clients.

The files - some of which were Excel spreadsheets, while others appeared to WIRED to be entire SQL databases - contained credit card transactions, credit card numbers, authorization codes, and the amounts of purchase. No names were included, however.

The balances of some 50,000 bank cards were also purported to have been exposed. Some of these accounts contained up to $12 million USD individually, with their sum totalling up to $110 million.

Customers have expressed outrage at having their banking details leaked online, especially considering the fact that some of them were not notified about the breach until the newspaper contacted them for comment.

As I have written in the past, direct and timely communication is imperative when it comes to a company's post-incident response. Let us hope the reports that the bank failed to notify its customers of the hack before the Twitter breach are false.

If they are true, however, I anticipate this lack of communication will hurt Invest Bank's reputation much worse and for far longer than the actual breach will.

Tags: , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , , ,

2 Responses

  1. Simon

    December 8, 2015 at 10:34 am #

    I'm at two minds on this.

    It's good Invest Bank didn't give into extortion as it only encourages others.

    HOWEVER, not having the right mitigations to prevent this from occurring is very bad. Probably just as worst is their customers finding out from a 3rd party.

  2. Spryte

    December 8, 2015 at 7:09 pm #

    Snip>>>
    there has been no financial loss. All that this man has is some customer information and he's trying to use it as a bargaining chip.
    <<<Snip

    With that kind of attitude if I was a customer at that bank, I wouldn't be any longer!!
    Names, Account numbers. Credit Card information… All published on-line.

    I'd be pretty pissed off. And to find out about it in the news media, even worse.

    I do agree with the bank not paying (as Simon mentions above) but first let the customers know so they can cancel cards and put a watch on their accounts.

Leave a Reply