December 25th, 2020–A dark web hacking outfit claims to have purloined some 900 gigabytes of “before and after” photos from a UK cosmetic surgery chain with a litany of celebrity endorsements, vowing to release the images unless a ransom is paid.
The hack on the surgery chain, the Hospital Group, was reported by the BBC on Thursday, noting that the company had informed both its customers as well as the UK’s Information Commissioner’s Office of the data theft.
“We can confirm that our IT systems have been subject to a data security breach. None of our patients’ payment card details have been compromised but at this stage, we understand that some of our patients’ personal data may have been accessed,” the chain, also known as the Transform Hospital Group, said in a statement, adding that it is also working with local police and the National Cyber Security Centre in addition to the ICO.
The hacking crew, known as REvil and reportedly behind a series of similar cyber-attacks, took to the dark net threatening to release “intimate photos of customers,” warning they are “not a completely pleasant sight.” It remains unclear what the attackers demanded for ransom, however.
The Hospital Group said it had notified all of its patients about the incident and would provide them with “regular updates as the picture becomes clearer,” according to The Telegraph. The chain has counted among its customers a number of celebrities, including former ‘Big Brother’ contestant Aisleyne Horgan-Wallace, ‘Shameless’ actress Tina Malone and British pop singer Kerry Katona.
Though the company said that many of the photos would not include the faces of patients, one former customer told the BBC he was anxious after the hack, saying “I’m obviously concerned as the last thing I want is ‘before photos’ being splattered around in the public domain. “I’ve tried to keep my surgery private and not even some of my friends and colleagues know about it, so the data breach is concerning for me.
The same black hat outfit, also known as “Sodinokibi,” claimed back in May that it stole damning information on US President Donald Trump from a New York entertainment law firm while demanding $42 million in ransom from anyone willing to pay – whether it be Trump, his supporters or even his critics looking for dirt. While it did later publish a collection of some 169 emails, only a few of them made mention of the US president, none of them containing the “dirty laundry” initially claimed.
The hackers also said they grabbed up a sizable trove of data on celebrities including Madonna, Lady Gaga, Bruce Springsteen, Nicki Minaj and Mariah Carey in the same breach, though by all indications the law firm refused to hand over the cash. Police agencies typically urge victims not to pay ransoms to cyber criminals, as it only bolsters their operations and often fails to prevent the publication of stolen data.