Peachtree Orthopaedic Clinic, announced a breach last month. Now the hackers behind the attack, the Dark Overlord, say that the clinic owner has not paid the ransom – 83 bitcoins or around $60k – and they are threatening to release more records. Last month they released names, birth dates, addresses, prescription info and socials of a group of patients.
They claim to have taken more than a half million records, including the prescription history for a number of professional athletes.
The hackers say that Michael Butler, the CEO of Peachtree, promised to pay 83 bitcoins, but has not done that.
The hackers say that they will release more and more records in an effort to get the clinic to pay the ransom. One would think that with pro athletes in the mix, paying $60k to keep your drug habits out of public scrutiny, even if everything you are taking is legal, Of course, we don’t know if the $60k is a down payment or whether the hackers will be happy with that much money.
For any organizations storing sensitive customer data, this should be a warning. How would you deal with an event like this, going on for more than a month with no resolution.
Some hackers have figured out that an easier way to monetize stealing your data may be to extort you instead of selling your data. It is not at all clear what the end game with be with Peachtree Orthopaedic, but it is clear that it will be messy no matter how it turns out. Not only have they been dealing with hackers for a month, but they have been dealing with the FBI trying to figure out who the hackers are.
If your company had to deal with the same situation as Peachtree has been dealing with for a month or more, how well prepared are you? What do you tell your clients? What are your employees supposed to do? It has to be a huge distraction.
At this point, Peachtree is likely unclear as to exactly what data the hacker has and whether the hacker will release the private data on your most privacy sensitive clients – pro athletes. They may have a half million records. Or they may not. This is dragging on beyond what seems reasonable. One guess could be that they don’t really have the data, but that is a dicey bet if you guess wrong.
Information for this post came from Motherboard.