author photo
By Bruce Sussman
Mon | Feb 3, 2020 | 12:19 PM PST

Black smoke billowed. Sirens blared. And I ran.

I was doing a live report along the waterfront in Portland, Oregon, when my photographer spotted the column of smoke a block away.

We hurried to the building to interview people who escaped ahead of the flames.

But when we got there, we found a problem. Many of the people evacuated were from a plastic surgery clinic, who had to flee mid-procedure.

Some patients wore medical garments, others had gauze taped in various places, and all of them looked stunned. 

A few turned around quickly when they saw our camera, but others came up and made direct pleas.

That included a woman who confided that even her own friends did not know she was having the procedure. "Please, do not show me," she said. Another man quickly followed up: "If this were you, would you want the world to know you had plastic surgery? Please consider that."

We did consider that, and we used other footage for the story instead.

But the very notion that you are doing something private when you have plastic surgery is now being used as leverage by hackers.

Their question for you: how much is your privacy worth?

Hacker extortion case: the plastic surgery clinic

Dr. Richard Davis at The Center for Facial Restoration (TCFFR) in Miramar, Florida, and his patients, are experiencing this hacker extortion nightmare right now.

He explained what happened in a data breach notice on his website:

"On November 8, 2019, I received an anonymous communication from cyber criminals stating that my 'clinic's server (was) breached.' The hackers claimed to have 'the complete patient's data' for TCFFR that 'can be publicly exposed or traded to third parties.' They demanded a ransom negotiation...."

That's right: hackers targeted a doctor who holds the plastic surgery secrets of more than 3,500 patients. Pay up, or we'll expose your patients.

In a cold-hearted way, you could simply view this as a business to business (B2B) type of transaction. The kind we are seeing more of.

The kind that has some doctors quitting after a ransomware attack.

Hacker extortion case: the plastic surgery patients 

But what happens next in this story is even lower and colder. Because Dr. Davis revealed that hackers are going after some patients directly.

"...about 15-20 patients have since contacted TCFFR to report individual ransom demands from the attackers threatening the public release of their photos and personal information unless unspecified ransom demands are negotiated and met."

That's right: we promise to expose your most private moments, like that elective procedure you kept secret, unless you pay us.

Hackers are now going for business to consumer (B2C) transactions if they can't get the organization involved to pay up.

Dr. Davis says he's notified the FBI and is upgrading his cybersecurity, and he ended his data breach notice like this:

 "I am sickened by this unlawful and self-serving intrusion, and I am truly very sorry for your involvement in this senseless and malicious act."

Hackers and ransomware: extortion is the new focus

For years, hackers who launched ransomware attacks encrypted corporate or personal data and demanded money for the digital keys to unlock it.

But increasingly, organizations are developing ways around this problem.

Efforts like nomoreransom.org provide free decryption keys for dozens of known ransomware strains.

And Roger Grimes of security awareness company KnowBe4 says an increasing number of companies keep offline data backups which hackers can't get to.

This means too many ransom demands go unpaid; and that makes cyber criminals angry.

"Then they realized that encrypting some company's data wasn't the worst thing they could do. They could do things that a backup wasn't going to fix. They realized that with the high level of admin access they had they could do anything. And that's when they started getting smarter… and meaner.

They realized that by copying the data first, and threatening to release it to the company's competitors and the public in general, that a tape backup wasn't going to help the victim. Imagine every email you and your employees have ever written, out there on the internet.

Imagine every time some frustrated employee venting about a customer or partner in an email got thrown out into the public for everyone to read."

Concludes Grimes:

"Ransomware isn't here to let you take time to decide if your supposedly good backups are really good. They want to inflict the most amount of pain and risk immediately. They want to get paid, and they will do anything it takes to make that get happen, including making your company an example of what happens if you don't pay."

Hacker extortion target: medical clinic

And in this battle between hackers and business, patients and customers are increasingly caught in the middle.

Imagine the fear of having your private plastic surgery procedures exposed to the world. Clients of The Center for Facial Restoration must now live with that possibility. 

You might have a shot when you ask a reporter to consider your privacy out of human decency. But only one thing seems to get hackers to do this: money.

[RELATED: The SecureWorld Sessions podcast series, "Talking to Hackers Through an Alias"]

Comments