nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Loan application data hacked, company responds: Meh, not our customers

Hackers vow to publish all if AFC Kredieten doesn't pay up

By Jennifer Baker, 17 Jul 2015

Hacker collective Rex Mundi has stolen 24,000 financial records from Belgian loan company AFC Kredieten, it claims, and if the company doesn't pay up before Friday at 8pm, it will publish every loan applicant record in its possession.

As proof that they have successfully hacked the company, Rex Mundi has already published some personal accounts and left a banner notification on the AFC Kredieten website.

If it goes through with its threat, it will make AFC Kredieten the 18th company to have data revealed by the blackmailers. According to the collective, “the companies we targeted have only one thing in common: mediocre IT security protocols or poorly-designed web applications".

The group said it informed the Antwerp-based company on Monday, but the website still showed the Rex Mundi banner on Thursday afternoon.

The company refused to comment beyond saying it would not negotiate. It appears the company feels no responsibility towards loan applicants whose data was stolen through the AFC Kredieten site – as they were not yet customers.

A spokeswoman for AFC Kredieten, when asked if customers whose data had been stolen had been informed, replied: "They are not our customers. They are applicants, we had not necessarily organised a loan for them yet. AFC Credits is the victim here. What that group did is illegal and writing about it would be against the law."

She also said that there would not be any reputational damage to the company if the records were published.

The hackers say they will not “discuss or even acknowledge the fact that some of our past targets might have paid us.”

The group, which says it has no motivation other than to make money, claims it always gives victims the opportunity to “pay up to protect the data they failed to secure from getting released or refuse to pay to clean up their own mistakes. We automatically delete all of the stolen data once a full payment has been made.” ®

The Register - Independent news and views for the tech community. Part of Situation Publishing