A hacker group called Dark Overlord is threatening to release pictures of a number of celebrities who had undergone cosmetic surgery at the London Bridge Plastic Surgery clinic.
The hacker group stole images of cosmetic surgeries conducted on celebrities by hacking into systems owned by the London-based clinic.
In an official statement, the London Bridge Plastic Surgery clinic confirmed that its systems had indeed been hacked by hacker group Dark Overlord and that it was 'horrified' by the fact that its patients were targeted.
'We can confirm that the Clinic has been the victim of a cyber attack. We took measures to block the attack immediately in order to protect patient information and we informed the Metropolitan Police who launched an investigation,' it said.
'Regrettably, following investigations by our IT experts and the police, we believe that our security was breached and that data has been stolen. We are still working to establish exactly what data has been compromised.
'The group behind the attack are highly sophisticated and well known to international law enforcement agencies having targeted large US medical providers and corporations over the past year. We are horrified that they have now targeted our patients,' it said.
'We are profoundly sorry for any distress this data breach may cause our patients and our team are available around the clock to speak to anyone who has any concerns by calling 0203 858 0664.'
Dark Overlord is well-known for its involvement in online extortion in the past. In June, the group released ten episodes of the popular series 'Orange Is the New Black' on the web after Netflix refused to pay the ransom. A hacker belonging to the group recently contacted a reporter for The Daily Beast and owned up to the latest hack.
'We're going to pitch it all up for everyone to nab. The entire patient list with corresponding photos. The world has never seen a medical dump of a plastic surgeon to such degree,' the hacker said. Even though the group has not made any extortion demands yet, cyber security experts aren't amused.
'This attack really shows that every business is a potential target to cybercriminals. The fact they’ve targeted photos and patient lists is a classic extortion tactic,' says David Kennerley, director of Threat Research at Webroot.
'They’ve gone for potentially embarrassing information that London Bridge Plastic Surgery customers will be upset if made public, rather than obvious financial data.
'Organisations need to be reminded that they remain responsible for all information entrusted to them by their customers and make sure their data is fully protected. Organisations need to ensure that firstly, adequate technical defences are in place – including threat intelligence technologies, up-to-date software and operating systems and adequate employee education,' he adds.
It is now obvious that systems used by the London clinic were either running old operating systems or were not patched with the latest security updates, and this lack of cyber resilience has come back to haunt them. For such firms, the upcoming data protection law will be a perfect motivation that they so sorely need to protect customer data.
'With the introduction of these new laws and the upcoming GDPR, it is essential that organisations are taking all the necessary steps to ensure that they are compliant with these regulations or else risk facing devastating consequences, not only from a financial perspective but for their reputation too,' said Peter Carlisle, VP of EMEA at Thales e-Security.
'With fines of £17 million or 4 per cent of global turnover for noncompliance, good data management just became an essential for all consumer-facing businesses. The price of non-compliance could be fatal,' said Greg Hanson, VP of EMEA cloud at Informatica.