nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Defiant Labio lawyer spits on black hats after 'med data' theft

Rex Mundi blackmailers: Meh, cough up or we'll spaff the lot

By Jennifer Baker, 7 Apr 2015

Hacker collective Rex Mundi’s Twitter account has yet again been suspended after its latest extortion attempts.

The group, which says it has no motivation other than to make money, most recently targeted Labio, a French laboratory company specialising in private patients. Using the now-defunct @RexMundi2015 account, the hackers threatened to publish personal patient information if Labio did not pay €20,000.

Some files have indeed been published, but Paul Nicoud, a lawyer for Labio, was keen to downplay the damage.

“First, my client would like to clarify that the hacking has been less substantial than Rex Mundi claims. As soon as Labio was informed of the hacking, they immediately closed the data server and passwords have been disabled. To date, two types of data have been disclosed: a list of users and passwords (which have been disabled) and 11 blood test results. No other disclosure contains any medical data,” he told El Reg.

Labio is the 17th company to have data revealed by the blackmailers, but the group says that it will not “discuss or even acknowledge the fact that some of our past targets might have paid us”.

Despite loudly eschewing political motivations, Rex Mundi did try to pass the blame in a statement on 16 March, comparing poor security to leaving your friend’s car unlocked with the keys in the ignition in a dodgy neighbourhood. They asked who would be to blame if it were stolen, concluding that it’s a “moral dilemma”.

“The companies we targeted have only one thing in common: mediocre IT security protocols or poorly-designed web applications," the hackers said. "After successfully hacking a website, we always give its owners a clear choice: pay up to protect the data they failed to secure from getting released or refuse to pay to clean up their own mistakes. We automatically delete all of the stolen data once a full payment has been made.”

Labio says it is doing everything in its power to defend the privacy of its patients and is working with the police.

“Of course, Labio did not and will not give in to blackmail in the proper interests of Labio patients. Paying would encourage such unlawful behaviour,” said Nicoud.

There is still no mention of the incident on Labio’s website but the lawyer says the company has been in touch with patients directly.

Rex Mundi, meanwhile, says it will continue to target vulnerable websites. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing