back to article Hackers attempt to BLACKMAIL plastic surgeons

Cybercrooks attempted to extort a chain of cosmetic surgeons after hacking into its systems and stealing an estimated 480,000 files stuffed with info about prospective nip-'n'-tuck customers. Computer systems at Harley Medical Group, which has 21 clinics across the UK, were pillaged to loot personal details from nearly half a …

COMMENTS

This topic is closed for new posts.
  1. DaLo

    Through its contact form?

    Sounds like SQL injection - have we stepped back 10 years?

    1. Swarthy

      Re: Through its contact form?

      SQL injection is my guess, as well.

      I wouldn't expect a surgeon to be aware of the latest developments in web site security, but I would expect that they hired someone who is to develop and maintain their site. However, it seems that a lot of professionals in other industries believe that "any one can make a web site", and worse even those who do hire an expert to build the site do not see fit to have it maintained.

      I am not familiar with the site in question, but based on previous experience, it could be 10 years old... or written by someone who was "cheap" and either new to building sites, or an old dog who last learned a new trick 10 years ago.

    2. Tom 38

      Re: Through its contact form?

      Almost certainly we have stepped back 10 years to when their contractor initially wrote the website.

      SME, "working" website, why would they maintain, update or audit it? If they do anything to it, it will be getting a designer to "freshen" the look and feel, not go through the OWASP checklist.

      Personally, I think almost all businesses underestimate the importance of having in house software developers and maintaining custom software. However I might be slightly biased - as a software developer, I suppose I do have a dog in the fight...

    3. Cubical Drone

      Re: Through its contact form?

      Little Bobby Tables strikes again!!

      1. Peter2 Silver badge

        Re: Through its contact form?

        My question would be why the hell is a contact form storing stuff in a database?!

        The contact form on my company website just points at a hardcoded php form -> email script that I knocked up in about 5 mins when somebody asked if they could have a contact form on the website. Absolutely no client details are stored on the website, you could totally compromise every script on there and still gain nothing.

        1. Anonymous Coward
          Anonymous Coward

          Re: Through its contact form?

          How do you create your marketing lists or get statistical information from the form regarding the various fields they fill in?

          There's perfectly reasonable reasons for having a DB storing the details, just do it properly and use SPs, parametrise the variables or the equivalent.

          1. Peter2 Silver badge

            Re: Through its contact form?

            Easy. When it arrives at the marketing department then it gets pulled into the database as a prospect by our case management system, which also acts as a CRM system for sales.

            Admittedly, it's still in a database, however it's not web facing.

  2. JimmyPage Silver badge
    Joke

    SQL injection ?

    Botox injection, more like

    1. Anonymous Coward
      Go

      Re: SQL injection ?

      I think they'll be giving the website a facelift then.

      1. Elmer Phud

        Re: SQL injection ?

        "I think they'll be giving the website a facelift then."

        Certainly don't need any work on the boobs though.

        (something about tightening up the back door . . .)

  3. I ain't Spartacus Gold badge
    Devil

    I'm disappointed

    Surely there was a third alternative?

    They should have agreed to pay the blackmailers. Arranged for the handover in an underground carpark (where else?), then some laughing gas and drugs later, the criminals would wake up strapped to a densist's chair in a secluded location. One denist with strong german accent, a bit of giggling and drilling later, and I'm sure they could have got all the information returned, along with a fullsome apology.

    1. Tanuki
      Thumb Up

      Re: I'm disappointed

      I was more thinking of a quick shot of Ether followed by 'cashing in' the blackmailers' bodies at Nurse Nightingale's Body-Bank.

      Does anyone remember the horror movie "The Hands of Orlac"?

      1. Elmer Phud

        Re: I'm disappointed

        THERE IS NO JUSTICE, JUST ME!

      2. Anonymous Coward
        Anonymous Coward

        Re: I'm disappointed

        Or better yet,

        POST-OP

        Darkened basement, full of surgery equipment vaguely reminiscent of a scene from Dexter.

        The perp wakes up, still groggy from the anesthesia.

        Chirpy voiced Surgeon:

        Wakey wake sir, hope you don't mind. I had to borrow jus the tiniest bit of tummy fat to acheive the desired effect!

        Now won't you be popular in the Scrubs with those beautiful new boobies !

        PERP....... AHHHHHHHH, !!!!!!

    2. LaeMing

      Re: I'm disappointed

      "Give us back the data and we will swap your nose and genitals back."

    3. Tom 38
      Headmaster

      Re: I'm disappointed

      One denist with strong german accent

      If we're going to raise one of them from the dead, I think a MaggieT is more scary than a DenisT.

      1. I ain't Spartacus Gold badge

        Re: I'm disappointed

        Tom 38,

        Nice post, have an upvote. Even if you did point out my speeling miskate. There's 2 typos in my post, and both on the word dentist. Suppressed trauma perhaps? I don't remember anything too bad. Although my dentist when I was a kid did run away to Australia. But that was with £100k of NHS funds, rather than because of anything more sinister. Or so I was told anyway...

  4. codejunky Silver badge

    Anyone can be hacked

    When you realise this you have to accept it. Congrats to the medical group for responding as soon as they could to the issue, admitting the issue and working with the police to resolve it. Sounds like they handled the situation well

  5. This post has been deleted by its author

  6. Version 1.0 Silver badge

    Publish and be Damned

    The Duke of Wellington had the right attitude, chances are the NSA has all the details too so it's only a matter of time before the news leaks out. It's time that we, as a society, stopped allowing ourselves to be held to ransom by every snotty nosed b-steward that wanders along.

    We are being held to ransom by our own fears.

  7. disgruntled yank

    It has to be said.

    Tell the prospects, 'Chin Up!'.

  8. NileH

    The Data Protection Act imposes a legal obligation to keep personal data secure...

    But there's very little guidance on how secure.

    Partly, that's a good idea: detailed guidance would go out of date very quickly, and this law dates from 1998. So phrases like 'appropriate to the sensitivity of the data' and 'best practice' and 'reasonable precautions' are necessary.

    But I think it's time to start grading the data:

    ● 'Private' - identifying data, names and addresses.

    ● 'Confidential' - personal conversations and correspondence, purchasing habits, etc.

    ● 'Under legal privilege'

    ● 'Places individual at risk of violence'

    ● 'Places individual at an increased risk of fraud'

    ● 'Would immediately allow transfers of funds and assets'

    ● 'Medical information'

    ● 'Child Protection'

    I'm sure that you could think of others: but you wouldn't want to flag up any individual as having information of interest to blackmailers - say, a juvenile arrest for prostitution and subsequent referral to social services - as that 'flag' would be a magnet for criminals and journalists. And, in these times, for officials of the state.

    What would the flags do? Well, we'd need general security standards; starting with a minimum standard for private data specifying 'Encrypted data store', 'No passwords ever stored or sent in clear text' and 'Secure sessions'.

    Any information at a higher level than 'private' would need a security review of the host system every two years; and the ICO might consider issuing security alerts for high-profile exploits that require confirmation - 'yes, we've patched that' - within ten working days from the registered owner.

    The most sensitive data stores would need a yearly audit, to published standards, and a record of patches - with pen-test results - for all security alerts and vulns listed by, er... let me think... some public body that doesn't yet exist. There's probably a group within the Home Office that does this internally for the Civil Service - like the sysadmins at every bank - but I'm not aware that there is a state-sponsored *public* service, in any country.

    That's a gap in the law, and an obvious case for the statutory provision of a service, rather than everyone relying on purchasing a service from competing private enterprises.

    ...There is, of course, a gap between what *should* happen, and what actually does.

    The legal framework? This would probably be enacted as 'enabling legislation', in which regulations are 'Laid before Parliament' by the minister - in practice, it's handled by a regulatory agency that maintains and updates a book of regulations having statutory force. Look up the HSE and the Control of Substances Hazardous to Health regulations as the best example of this process.

    The Information Commissioner's Office *may* actually have the power to do this already - I'd be grateful if someone here is legally qualified to offer an opinion on that.

    Useful Link: The Information Commissioner's Office:

    http://ico.org.uk/for_organisations/data_protection

    That's the statutory body enforcing the Data Protection Act

  9. no_RS

    Don't these idiots encrypt anything? Systems getting compromised is pretty much expected these days so why oh why don't people encrypt the data?

    It's not exactly rocket science is it!!!

  10. Paul 129
    Windows

    'Nip Tuck'

    First thing that sprung to mind was the fate of people who tried to blackmail the guys on the series 'Nip Tuck'? Dont mess with plastic surgeons :-)

    Thumbs up on the handling of the 'stuff up'... So far.

    xkcd FTW

  11. xperroni
    Facepalm

    "How can you do surgery on plastic?"

    That was the question in my head as I read the article's headline. For some reason I couldn't for the life of me relate it to cosmetic surgery.

    I guess I'm just tired?

This topic is closed for new posts.

Other stories you might like