[HN Gopher] Hackers threaten to leak plastic surgery pictures
___________________________________________________________________
Hackers threaten to leak plastic surgery pictures
Author : g_p
Score : 124 points
Date : 2020-12-24 17:00 UTC (6 hours ago)
(HTM) web link (www.bbc.co.uk)
(TXT) w3m dump (www.bbc.co.uk)
| hprotagonist wrote:
| Paging King Roland of Druidia...
| imgabe wrote:
| This sort of thing just shouldn't even be a viable threat. The
| response should be "go ahead and publish it, who cares?"
|
| If you heard tomorrow that there were a bunch of plastic surgery
| before and after photos online, would you even go look? What is
| the threat here - that people will search the data for people
| they know and...make fun of them? Really?
| SirSavary wrote:
| People who have gone through gender affirmation surgery may
| want that to remain hidden knowledge
| breck wrote:
| > "None of our patients' payment card details have been
| compromised but at this stage, we understand that some of our
| patients' personal data may have been accessed."
|
| Reminds me of a statement put out by White Star Lines in 1912:
|
| "None of our passengers payment card details have been
| compromised but at this stage, we understand that some of our
| passengers personal lives may have been affected."
| function_seven wrote:
| The deck chairs appear to be arranged optimally at this time,
| but we understand that other circumstances may reduce demand
| for them.
| pstrateman wrote:
| Why would you even keep these on anything but archive media??
| zimpenfish wrote:
| Perhaps they bring them out to show people who are considering
| the same surgeries but haven't yet comitted?
|
| (Although I'd hope they obscure identifying details and get
| permission from the original patients...)
| tompazourek wrote:
| The patient can come for a checkup or a related thing and they
| want to be able to easily retrieve these if they want to check
| something (or in case there's an issue of sorts). Having it all
| in a single system is the easiest way to do that.
| arkitaip wrote:
| Because they are lazy, incompetent and indifferent. But they
| might be against a very powerful and public group of people who
| can sue them out of existence, so maybe that will scare other
| health providers into better security practices.
| sidlls wrote:
| You hinted at it but didn't mention it explicitly: greedy. It
| simply costs more to have somewhat better security practices,
| and they don't want to pay unless they have to.
| bigbubba wrote:
| Lazy indifference probably explains it more than greed I
| think. If they cared, a doctor could add _" burn a CD and
| put it in the filing cabinet with the other patient
| records"_ to the job duties of their secretary without
| increasing their compensation. It would only take a few
| more minutes, and would only slightly detract from the time
| they spend idly chatting with each other.
|
| But they simply don't care.
| ironmagma wrote:
| Whether the cause is laze or greed, criminal consequences
| would probably motivate people to actually care about
| this stuff.
| novok wrote:
| More accurately, they are NOT tech professionals, the
| type of people who do IT for small private practices are
| not that good either and they really just don't know for
| the majority of it. You really can't expect these people
| to understand the full consequences of stuff like
| encryption, offline vs online media and more. To them, if
| it has a user name and password, that is safe right? Use
| the HIPPA lockbox software and it should be good right?
|
| In the past before computers they would be putting these
| in files on a large file folder shelving units with
| colored folder tabs behind a counter and the only real
| security was a receptionist that would stop you if you
| tried to interact with it, and they locked the door to
| the office when they left. If someone broke into the
| office back then too, your medical records would've been
| stolen & unencrypted (beyond the illegibility of most
| doctor's handwriting) and as a society, we were ok with
| that security level.
| jeffbee wrote:
| I don't want them to be tech professionals. I want them
| to use the best in class tools they can get, which it
| turns out are also the easiest to use and often the
| cheapest. If this surgery practice had just kept their
| photos on Google Drive with GSuite admin policy enforcing
| 2FA, they would have been most of the way to gold
| standard infosec and also would have dramatically better
| real-world durability and availability. Any consultant
| could have set them up that way in an hour.
| novok wrote:
| That doesn't protect against the kind of attack that
| compromises the end point (wait for logged in 2FA state,
| interact with browser in the background with exact same
| state in a headless mode and download), and you do not
| know when they set up their systems where Gsuite, 2FA &
| HIPPAA / UK Equivalent agreements were even available
| back then.
|
| For all you know, they could have had that system too,
| the article does not say what it was.
| jeffbee wrote:
| These kinds of things never turn out to be that
| sophisticated. It's always that they left the SMB port
| open and the password was "password".
| bigbubba wrote:
| You're probably right that ignorance is the root of their
| apathy. Hopefully with this event making the news,
| doctors at least in the same specialty will hear about it
| and do something. Unencrypted offline records physically
| secured in the office building seems more than adaquate
| in all but the most exceptional scenarios though. Maybe
| it wouldn't be good enough for doctors of high-value
| targets (celebrities, politicians, etc.) Burglars
| targetting medical records seems uncommon.
|
| Harsh fines are probably the best way to make doctors
| care though. If they know they risk financial ruin for
| not securing their records, they'll have a strong
| personal incentive to remediate their ignorance.
| cratermoon wrote:
| You'd think that, but... SolarWinds
| ars wrote:
| Keeping data on live hard disks costs quite a bit more than
| archiving it to tape or DVD and sticking it in a file
| cabinet.
| jdeibele wrote:
| There's a one-time purchase of bigger/more disks. Figure
| 1GB (50 20MB pictures) per customer. Just add another
| 2TB, then 4TB, now 8TB or bigger drive. That's about $250
| or $300 each time. Double that for a sync'd drive
| somewhere in the office.
|
| Now they should be doing 3-2-1 backups. With S3 they'd be
| paying $160/month (for storage, not counting other costs)
| for 8TB or $40/month for BackBlaze B2. That's 8,000
| customers.
|
| They're in England so some variance in pricing. But it
| would be relatively inexpensive to buy big drives, sync
| them to a set in the office, and back them up online.
| Where the doctors or whoever is running the clinics can
| SEE the data is still there whenever they want.
|
| I agree that there should be increasing worry about
| keeping information that you don't need, whether it's
| intimate pictures of your surgical clients or people who
| bought from you 5 years ago and not since. But it seems
| like keeping things handy will be an impulse that's hard
| to overcome.
| novok wrote:
| TBH DVDs / Blu-Rays are too low density, expensive and
| labor intensive, and tape drives start at $1000 and most
| non tech professionals don't know they even exist. 2.5TB
| of 25 100GB writable BDXL disks cost about $250. A 4TB
| drive costs $80 and a computer to throw in 3.5" HDDs
| pretty cheap too.
| adkadskhj wrote:
| Maybe. Sounds like their incentive will be primarily to keep
| _some_ records more safe. Eg i'm skeptical that this would
| propagate to poor people, without legislation at least.
|
| _(which isn 't to say that they'd purposefully choose two
| different implementations. Rather, just that if i'm using
| poor person doctors i'm unsure they'd rise to the new
| "standard" of security practices)_
| Aeronwen wrote:
| "I'm a doctor, not a computer security expert, Jim!"
| elliekelly wrote:
| I didn't let my plastic surgeon take before and after photos
| for this exact reason. I asked him whether it was necessary for
| the procedure and what they were used for and he couldn't
| really give me an answer beyond it's nice to be able to compare
| the finished product. So I told him when I came back in for my
| post-op I'd be more than happy to pull up a before picture on
| my phone for him to use to admire his work. I even let him take
| the "before" photo on my phone. I'm sure he thought I was a
| paranoid tinfoil hat type but he really didn't seem to mind.
| nwatson wrote:
| Why does a software engineer keep old git-repo branches around,
| including their history? The engineer can compare the before-
| and-after especially as they relate to experiments, successful,
| and failed approaches.
|
| A plastic surgeon might want to look at before-and-after for a
| few of their "branches" (specific plastic surgeries or repeated
| applications of a technique). "When I did celebrity-A I notice
| they sag too much in location-X, whereas for celebrity-B where
| I changed the procedure location-X looks much better."
| "Celebrity-P has the same odd nose Celebrity-K had ... let me
| consult my notes and the before/after for Celebrity-K."
| [deleted]
| EvanAnderson wrote:
| Why does everybody keep data hanging around forever? It's
| easier. You don't have to think about it. Just keep kicking the
| files onto new media every few years / at a new server refresh.
|
| I did some IT work for a plastic surgery practice in the US
| many years ago. I was adding some storage to an existing
| server. I was shocked to see that the practice was keeping all
| their before / after photos online going back years. Not
| encrypted. Hanging out in Windows file shares with lax
| permissions.
|
| It certainly gave me pause.
|
| Maybe some software providers in this space will think about
| handling this better.
| fabianhjr wrote:
| What always amazes me is that credit card data is almost always
| safe since VISA/MasterCard and others have very stringent
| security requirements. (PCI DSS)
|
| There are some regulations regarding medical data (Eg, HIPAA) but
| security seems like an afterthought in most hospitals at best.
| Godel_unicode wrote:
| Let's not go letting credit card processors off the hook, this
| was barely a month ago. Part of our security team is
| essentially full-time on dealing with the consequences of
| actors using stolen credit cards.
|
| https://www.forbes.com/sites/billhardekopf/2020/11/13/this-w...
| fabianhjr wrote:
| From that article:
|
| > security researchers from Website Planet found that Cloud
| Hospitality stored information from more than 10 million
| travelers on an unsecured database with no password
| protection.
|
| That will be taken by credit card companies as gross
| negligence and breach of contract (they include PCI DSS
| compliance on all contracts and a requirement that they do
| the same for anyone that processes credit card data for them)
| plus anyone going the legal route (and indeed there are
| reports of a class action that mention PCI DSS compliance
| explicitly)
|
| My original comment was more in regards the care and security
| that is expected.
| hahamrfunnyguy wrote:
| I've done work in the medical industry, both for hospitals and
| private software companies developing medical software. In my
| experience; security, stability and compliance with HIPAA and
| other regulations are taken very seriously.
| xxs wrote:
| That's UK, no HIPPA per se. Funny enough, the infamous GDPR
| applies and data leaks are quite punishable.
|
| The Hospital Group is in a quite bad position: 1) the
| blackmail, in no definition that's ransom. 2) The data leak
| has to be reported and potentially they will get fined by the
| state.
|
| As for taking regulation seriously, I guess it does depend on
| the industry. Where I work GDPR and regulatory breaches are
| treated more seriously than downtime.
| Bukhmanizer wrote:
| In my experience HIPAA is taken very seriously in the sense
| that people are willing to have meetings _about_ HIPAA, with
| furrowed brows and serious expressions and a lot of
| signatures. Are the actual end-products more secure? No
| probably not. Of course this probably varies drastically from
| place to place.
| jabits wrote:
| Like you said, it may vary place to place, but you are
| definitely more secure when complying with HIPAA than
| without. The very act of discussing security within an
| organization in a structured way is a good start.
|
| edit: missing word
| fabianhjr wrote:
| There are plenty of reports of hospitals using out-of-support
| Windows versions (95-XP) with known vulnerabilities on
| _networked connected_ devices. (
| https://nakedsecurity.sophos.com/2020/02/20/nearly-half-
| of-h... )
|
| On the parent comment I am not saying that hospitals aren't
| HIPPA compliant but rather that the security expectations of
| credit card data are higher than medical data.
| speedgoose wrote:
| Same. And we have external audits and experts checking what
| we do.
| OminousWeapons wrote:
| Securing payments is much simpler than securing medical data in
| many ways because payment processors are centralized entities
| with established protocols for data transmission, where
| communication is largely many (vendors) to one or few (the
| processors), and where only one type of data is being moved.
| Health care organizations are HIGHLY decentralized entities
| where authentication is extremely difficult; where orgs employ
| many different protocols and software stacks; where many
| different types of data need to move freely between many orgs,
| with various levels of sophistication, in many different
| directions (patient to provider, provider to patient, provider
| to provider, provider to payer, payer to provider, patient to
| payer, payer to payer, provider to regulator, provider to
| researcher, provider to vendor, etc), with few established
| standards for how that is done (paper, phone, email, web
| application, fax, API, snail mail, CD, hard drive, USB, etc),
| with many people having access; and where organizations need to
| be porous, with high turnover by design. It should also be
| realized that a failure to access payment data or process a
| payment results in lost business and headaches. A failure to
| access medical data may kill someone, so tradeoffs between
| confidentiality and availability are much more nuanced.
| 542458 wrote:
| Good comment, especially WRT trade off between
| confidentiality and availability. Nonetheless, I do feel that
| many of these items (few standards, little interchange, often
| old tech, data decentralization) are primarily problems
| because the vendors and hospitals don't really have strong
| incentive to solve them. I do appreciate that the problem is
| non-trivial, but I don't think that the problem would be
| unsolvable should the appropriate incentives be put into
| place.
| radicalbyte wrote:
| In the medical world you have standards (HL7, DICOM, XDS)
| which are all about throwing large amounts of data around
| hospital networks (and in the case of XDS - outside). It's a
| castle with moat model of security - everything within the
| network is trusted and they focus on keeping the bad guys
| out.
|
| Obviously that's a horrible strategy and it delivers the
| expected results..
| jrumbut wrote:
| This is an amazing summary of the problem and why it remains
| a problem.
| tidepod12 wrote:
| I've worked as a security consultant for healthcare companies
| for years. The HIPAA Security Rule is a joke. The HIPAA
| Security Rule requirements are extremely basic things like
| "users must have their own login username rather than sharing
| an account" or "data should be encrypted where appropriate"
| (and it's left up to the company to decide where they think is
| "appropriate". There's also zero requirements around the type
| of encryption or implementation around it.. you could use a
| Caesar cipher and probably pass a HIPAA audit).
|
| Yes, as the other commenter mentioned, hospitals do "take it
| seriously" in the sense that they put a lot of importance on
| passing HIPAA audits... but passing a HIPAA security audit is a
| checkbox exercise for security controls that are a decade+
| outdated. It means absolutely nothing about an organization's
| _actual_ security maturity.
| cratermoon wrote:
| Can confirm. Even the getting the ISO27001 certification is
| mostly about checking boxes. In many cases an ISO27001 item
| can be satisfied by picking one of several ways that standard
| gives to claim it's not relevant.
| popotamonga wrote:
| All a joke, we tell the auditors what they want to hear, we
| provide documents to prove the processses are implemented
| as they should but then in practice nothing if followed but
| they dont get to know that.
| bladegash wrote:
| You don't even have to check boxes for ISO 27001 these
| days. All you need to do is pay "consultants" in certain
| foreign countries about $5k and you magically receive your
| certification.
| hsbauauvhabzb wrote:
| Can you elaborate? I'm not attempting to use them, it's a
| useful tool when explaining 27001 doesn't mean jack.
| ashishb wrote:
| Private data is a toxic asset. Businesses should learn to purge
| it regularly to minimize such damages.
| jessaustin wrote:
| One would think that if anyone had seen enough breasts, it
| would have been a plastic surgeon. Maybe they preserved these
| images for use in malpractice suits, but that's not a reason to
| keep the images online.
| underseacables wrote:
| Are these photos really of interest to anyone? I think for most
| people you can tell if they've had work done. I guess the
| elephant in the room is breast augmentation, but I think it's
| pretty easy to tell the difference between natural and bolt-on.
| tompazourek wrote:
| Lot of the photos might show private parts, and I think people
| will feel violated when these are shared without their consent.
| underseacables wrote:
| But is it enough that the company should worry? It's not the
| Fappening. I just think so what, it's tragic and Blackeye on
| the company, but it's like stealing something with no value.
| motoxpro wrote:
| Pretty sure the company makes money by people going to get
| plastic surgery. I'm not going to buy from a company where
| my private pictures are leaked. Reputation is valuable. The
| pictures might not be valuable to you, but a lot of people
| pay for "leaked" celebrity photos, of which the company has
| a lot of.
| traceddd wrote:
| Should the celebs worry? Probably not. Should the company
| worry? Yes, they'll have a name for that surgeon who leaks
| your medical documents and doesn't really care enough to
| pay to keep your privacy. There are other good surgeons out
| there, probably right next door. Customers will be more
| likely to choose someone else.
| draw_down wrote:
| This is just denial
| reiderrider wrote:
| Do hacker groups have positive track records of not sharing their
| stolen data? It's ironic to pay and then rely on trusting them.
| wolco2 wrote:
| Yes even if you don't pay because unless revenge is part of the
| target attacking you they just wastes time with no gain.
| Miner49er wrote:
| Yes, otherwise people would stop paying them. However, I
| wouldn't be surprised if once they make enough money, they do a
| type of exit scam: sell anything they can, then leave the
| business. It happens often in dark net markets.
| ryanlol wrote:
| Most stolen data is very hard to sell for meaningful amounts.
| Such an "exit scam" would be a waste of time, you'd make more
| money by just ransoming one more company.
|
| When you're earning (tens of) millions by extorting companies
| you aren't going to be very interested in selling their data
| for tens or hundreds of thousands.
| Miner49er wrote:
| True, it's probably not worth the time unless they've
| stolen some very valuable data. Obviously things like
| plastic surgery pics wouldn't be worth much of anything.
| washadjeffmad wrote:
| Depends on the clients. I remember a case where a family
| that hid their daughter's cosmetic surgeries had the
| marriage annulled when it was discovered by the groom's
| much wealthier family.
|
| So a lucrative target might be someone who traveled from
| outside the US to have work done to hide it, especially
| if they were relatively young.
| ryanlol wrote:
| It's always possible to come up with an extremely
| unlikely scenario where the data would he be
| extraordinarily valuable, but nobody is going to bet
| hundreds of thousands (or millions, to actually make it
| worth it for the ransomware gang) to buy the data.
| LinuxBender wrote:
| Exception would likely be pictures of celebrities. Their
| managers would not want those being distributed and would
| sue whoever they could.
| ryanlol wrote:
| Again, that's only good for extortion. Only worth tens of
| thousands if you're going to sell them.
| LinuxBender wrote:
| Agreed. Otherwise they would just be dumped on the web or
| put behind paywalls of dodgy sites.
| Timpy wrote:
| > The Hospital Group, which has a long list of celebrity
| endorsements, has confirmed the ransomware attack.
|
| This isn't a ransomware attack, they're not encrypting the
| company's drives and demanding a ransom to unencrypt them. Not
| every "I hacked you now pay me or bad things happen" situation is
| ransomware.
| jahewson wrote:
| Extortionware would be appropriate.
| smarx007 wrote:
| What you are talking about are cryptolockers and they are a
| subset of ransomware. Not all ransomware are cryptolockers. In
| this case, ransomware exfilled the data without a need for
| cryptolockers. They are still asking for a ransom.
| bigbubba wrote:
| They're not using cryptography, but aren't they demanding
| ransom? Is the use of cryptography an essential part of what it
| means for something to be ransomware, or is it merely a common
| implementation detail?
| flyGuyOnTheSly wrote:
| They are demanding a ransom, but Ransomware has a commonly
| accepted definition which requires encrypting files and
| demanding payment to decrypt them. [0]
|
| [0] https://en.wikipedia.org/wiki/Ransomware
| zimpenfish wrote:
| The very first sentence of that link would include this
| under "ransomware"
|
| > Ransomware is a type of malware from cryptovirology that
| _threatens to publish the victim 's data_ or perpetually
| block access to it unless a ransom is paid.
|
| (added emphasis)
| flyGuyOnTheSly wrote:
| That's a single sentence pulled from a very long
| definition, though.
|
| Here's the third sentence from that very same paragraph:
|
| >It encrypts the victim's files, making them
| inaccessible, and demands a ransom payment to decrypt
| them.
|
| Not everything can be explained in a single sentence.
| tompazourek wrote:
| They are not demanding ransom. Ransom is (per Merriam
| Webster): "a consideration paid or demanded for the release
| of someone or something from captivity".
|
| They copied the data, and they want money _otherwise_ they
| will release it. It 's ordinary blackmail.
| bigbubba wrote:
| Perhaps you could say they are ransoming the exclusive
| ownership of the data. But yes, 'blackmail' seems like a
| better fit.
| curryst wrote:
| > They're not using cryptography, but aren't they demanding
| ransom?
|
| No, a ransom is a fee paid for the release of something you
| value. Cryptography is one way to take a user's data, and
| release it back to them on payment.
|
| This is blackmail. They want payment to _not_ release
| something.
| heavyset_go wrote:
| It's blackmail.
| ajay-b wrote:
| Against whom? Where is the profit mechanism? Are the
| hackers really prepared to track down every patient and try
| to blackmail them? It's like the emails you get some times
| from hackers that have an old password of yours and
| threaten to release that video of you pleasuring yourself.
| Seriously?
| derivagral wrote:
| To me, ransomware attacks are specifically "the malware got
| in and turned all my data to mush; the attacker doesn't care
| about my data, just that I'll pay to un-mush it."
|
| This is "the malware got in and sent copies back home; now
| home base is threatening release and expecting payment to
| prevent it." To me, this is blackmail done via hacking, not
| ransomware.
| Godel_unicode wrote:
| Fwiw, many actors doing the former are also doing the
| latter. If someone paid you once to unencrypt, presumably
| they'll pay you again to not disclose the data. The line
| between those two business models is pretty blurry.
| jMyles wrote:
| Ransom usually means, "I have some(one|thing) of yours, and if
| you _want it back_ , you need to pay me."
|
| Calling this "randomware" subtly blurs the line between copying
| and stealing. The attackers here didn't remove access to the
| data (clearly stealing), they made a copy (clearly a crime
| other than stealing, at least in my view).
|
| It's more like blackmail than kidnapping.
| throw14082020 wrote:
| Timpy :P, your understanding of Ransomware is different to
| Wikipedias:
|
| > Ransomware is a type of malware from cryptovirology that
| threatens to publish the victim's data or perpetually block
| access to it unless a ransom is paid.
| Timpy wrote:
| If this is the definition of ransomware then I was indeed
| incorrect. I understood ransomware to be "threatens to
| perpetually block access to data" only.
| libria wrote:
| No I agree with your initial statement. The victim is not
| deprived of data or normal operation. As stated elsewhere
| it's blackmail.
|
| Adding: Wikipedia is also not necessarily authoritative.
| g_p wrote:
| When companies started restoring from their (new and
| existing!) backups when hit by ransomware, the ransomware
| authors looked at what would impact their "clients" the
| most -- if preventing them getting access to their data
| wasn't enough to make them pay up, then exposing their data
| and turning it into a breach that results in regulatory
| action helps them commercialise their "access".
|
| I think in a way, ransomware authors are following the
| "free market" approach, trying to best monetise their
| unauthorised access to other people's IT systems. Perhaps
| the prevalence of ransomware will eventually help
| businesses to properly cost in the risk of security to
| their business, and get their security in order, as there's
| a tangible cost threat?
| calvinmorrison wrote:
| So at this point it's just a normal Ransom. There's no
| 'wares' doing it. Someone stealing something does not make
| it ransomware.
| celticninja wrote:
| REvil is ransomware that locks you out but first
| exfiltrates your data. Then the attackers have 2 points
| of leverage, lock out which you may be able to circumvent
| with a safe backup process but that won't protect you
| from the release of your data. This gives the attacker 2
| nites at the cherry when trying to convince you to pay.
| jolmg wrote:
| Since we're discussing word choices and definitions, I'd
| argue that it's not stealing either if the Hospital
| retained possession of the data. It might be better said
| that they "obtained without authorization" or "illegally
| obtained".
|
| What makes "stealing" particularly bad is that the
| rightful owner no longer has possession of their
| property. That's not necessarily the case with data.
| tomc1985 wrote:
| This sort of thing is why people need to stop thinking
| that the digital world is analogous to our analog one.
|
| In digital, information wants to be free and many kinds
| of resources are effectively unlimited. There is no
| material scarcity. Therefore, theft, in the digital
| world, can't be the same as it is in our analog world.
|
| To be fair, this also applies to copyright and peoples'
| foolish notion that they can protect data without a great
| amount of preventing otherwise normal "physiological"
| processes. (Ironically, rather than having a wake-up
| moment where people realize their folly, we've
| institutionalized these resource-scarcity regimes into
| resource-abundant versions in the digital world)
|
| To summarize, info wants to be free, and since theft
| requires _extra_ effort to deprive someone of what you
| stole, does that definition of theft really apply here?
| Or does it need to change given the context? And, as a
| secondary point, people like to think they can protect
| data but their brains are stuck in our analog, resource-
| scarce world
| young_unixer wrote:
| Stealing would be breaking into their premises and taking
| the computers. Obtaining data isn't stealing.
| pc86 wrote:
| > _Obtaining data isn 't stealing._
|
| What is it then, if you don't have the legal right to the
| data?
| __MatrixMan__ wrote:
| If some law prevents you from having access to some data,
| then presumably that law has a name for whatever the
| crime is.
|
| It's not like we need the law to explicitly allow types
| of access. Anything not explicitly disallowed is allowed
| without a special name.
|
| "Stealing" happens when the original owner is deprived of
| the thing.
| riffraff wrote:
| but it's not even ransom, "ransom" is the situation where
| something/someone is held until money is payed and then
| it's returned.
|
| There is nothing being returned here, since the hospital
| has not lost access to the data, and the threat is that
| private data will be published.
|
| This is just blackmail.
| tertius wrote:
| What has been lost of the privacy of the data, which can
| be returned.
| plorkyeran wrote:
| No, it can't. It is impossible for the blackmailers to
| prove that they no longer have a copy of the data.
| threatofrain wrote:
| If somebody breaks into a psychiatrist's office and threatens
| the release of embarrassing or sensitive data unless there's
| payment, isn't that just classic blackmail?
| BoorishBears wrote:
| ... what?
|
| What moral question?
|
| This thread is someone questioning calling it was a
| ransomware attack, it was one. Being a ransomeware attack
| doesn't preclude it from being blackmail, and I don't think
| anyone you replied to has questioned the morality of it...
| [deleted]
| ajay-b wrote:
| The payoff for hackers seems too low here, why was this even a
| target? Kids and too much free time?
| 29athrowaway wrote:
| They can collect the money and leak the information anyways.
| tompazourek wrote:
| If they leak the photos after they get the money, they might
| have less chance of getting the money next time.
|
| They probably don't care for the photos. They care about making
| money and want to keep making money in the future.
| powersnail wrote:
| They might not want to keep making money in the future.
| Sometimes, they score something big and leave the business.
| tompazourek wrote:
| Maybe you're right, but it still feels to me that leaking
| the pictures will not benefit the scammers much. They might
| have connections to other people that are still in the
| business and they'd harm them indirectly by leaking after
| getting paid. Why make more enemies? Also, why put more
| attention onto themselves after they already succeeded?
| Some people have very strange reasons they do things, but I
| still don't think it's likely. I think these things are
| organized with the top priority of minimizing the risk of
| getting caught.
| anigbrowl wrote:
| You're assuming they're rational in this regard, but not
| rational enough to change their identity or select a
| different class of target in the future.
| sib wrote:
| "It's understood that many before and after pictures will not
| include the patients' faces."
|
| What kind of pointless statement is this? What is "many"? And
| does that imply that "many," "most," or "only a few" pictures
| _will_ include the patients ' faces?
| elliekelly wrote:
| Photos of facial surgery are more likely to be identifiable
| (nose, cheeks, chin, lips, eyes/eyebrows) while photos of
| bodily surgery (breasts, arms, stomach, etc.) won't include the
| patient's face. Its probably up to the doctor's photograph
| preference what types of facial photographs are identifiable
| and how close/far the zoom is when they take the picture.
| anonymfus wrote:
| _> It has 11 clinics specialising in bariatric weight loss
| surgery, breast enlargements, nipple corrections and nose
| adjustments._
|
| I guess pictures of nose adjustment patients most certainly
| include faces, and pictures of nipple corrections probably
| don't.
| Waterluvian wrote:
| Until these breaches result in lawsuits and maybe even criminal
| charges that result in complete dissolution of the corporation to
| pay out, these events will never stop happening.
___________________________________________________________________
(page generated 2020-12-24 23:00 UTC)