Nudity will always get people’s attention.
Which is probably a large part of the motive behind the latest attack by The Dark Overlord, the hacker group that gained an international profile in the past year-plus by advertising millions of medical records on the dark web, threatening schools and businesses and leaking Netflix shows.
Now it is apparently looking to raise its profile further, diversifying into lurid sensationalism with threats to leak graphic photos from a hack of a high-profile London-based plastic surgery clinic that caters to celebrities including, according to the group, some royals.
The Daily Beast reported on Monday that a member of the group contacted it using an email account from the victim – the London Bridge Plastic Surgery & Aesthetic Clinic (LBPS)– and included a cache of photos they said were from LBPS surgeries:
Many are highly graphic and close-up, showing surgery on male and female genitalia. Others show apparent patients’ bodies post-operation, and some include faces. None of a selection of tested photos returned any matches from Google reverse image searches, implying that they were indeed obtained from a private source.
The clinic acknowledged in a statement on its website that it had been breached.
We can confirm that the Clinic has been the victim of a cyber attack. We took measures to block the attack immediately in order to protect patient information and we informed the Metropolitan Police who launched an investigation.
Regrettably, following investigations by our IT experts and the police, we believe that our security was breached and that data has been stolen. We are still working to establish exactly what data has been compromised.
The clinic’s public relations firm, Marco Richards, did not respond to a request for comment on whether the hackers had been in touch with the clinic and if there are any extortion demands. But according to the hackers, the stolen data includes a lot more than graphic photos of famous people.
“We have TBs [terabytes] of this shit. Databases, names, everything,” a member of the hacker group told The Daily Beast, adding that they intended to make it all public:
We’re going to pitch it all up for everyone to nab. The entire patient list with corresponding photos. The world has never seen a medical dump of a plastic surgeon to such degree.
And if they do have what they claim, once the sensational element of the photos fades the other stolen data could mean more long-term risk to the clinic’s customer base. As is the case with other high-profile hacks, medical records and personally identifiable information (PII) can lead to continuing nightmares ranging from blackmail to identity theft – criminals posing using the PII of victims to get medical services, tax refunds, lines of credit and more.
This latest hack follows what seems to be the standard Dark Overlord MO: Break into an organization, steal data and then seek a level of publicity that will pressure the victim into complying with any ransom demand.
Motherboard reported in June 2016 that after the group stole hundreds of thousands of health care records, rather than immediately posting them, it advertised them on the dark web. It followed that with a claim that it had possession of 9 million health insurance records.
An encrypted chat with one of the hackers led to a loose description of the method:
First, he posts a database; then, he gives samples of the data to reporters, who go out and verify them. These articles, and the subsequent reblogging of them by other outlets, convinces companies that the hacker is a legitimate threat. These steps repeat over and over, building up the hacker’s reputation as someone to be taken seriously.
“I have a reputation with this handle now,” the hacker added. “Every time I put a new listing up it gets reported without hesitation now.”
Indeed, the group’s exploits have drawn plenty of press. It is also reportedly responsible for the hack late last year of Larson Studios, a Hollywood audio post-production firm, that led to the company paying them $50,000 in Bitcoin, but still ended up with the group leaking nine unreleased episodes of the Netflix hit “Orange is the New Black” this past spring after the network refused to pay an extortion demand.
Then just weeks ago in mid-September, the entire Flathead Valley, Montana school district shut down for three days after the group targeted several schools with death threats to parents and promises to release the PII of students, teachers and administrators unless a ransom was paid.
The Flathead County sheriff said the physical threats were more hot air than serious, in part because the group is believed to be overseas, not in the US. Still, out of caution, the district shut down for three days.
That may be in part because, as Motherboard noted, “depending on who they are communicating with, The Dark Overlord pushes itself as playful jester, ruthless criminal, or calculated professional.”
The variety of targets the group has attacked – which also include Gorilla Glue and a US defense contractor – are also a reminder that mega-corporations like Netflix or credit bureau Equifax are not the only targets of interest to hackers. Given that data is today’s real currency just about every organization has things of value, which means no matter what an organization does, or its size, security matters.
LBPS is obviously now more aware of that. In their statement, they said they were “horrified” at the hack, adding:
Security and patient confidentiality has always been of the utmost importance to us. We invest in market-leading technology to keep our data secure and our systems are updated daily. We are deeply saddened that our security has been breached.
Chances are that horror and deep sadness aren’t going to mollify their clients.
