Police investigating after hacker steals 500,000 records from cosmetic surgery practice

An unidentified hacker was able to access and exfiltrate almost half a million records on potential cosmetic surgery patients, it has been revealed.

Police investigating after hacker steals 500,000 records from cosmetic surgery practice
Police investigating after hacker steals 500,000 records from cosmetic surgery practice

The Harley Medical Group, based out of Thames Ditton, Surrey and a leader in cosmetic surgery with 21 practices around the UK, announced on Tuesday that a hacker had accessed details of nearly 480,000 people by compromising the firm's website.

These people had filled out an initial enquiry form on the website on the possibility of undergoing a procedure, with user details including names, addresses, dates of birth and contact details. The company has repeatedly stressed, however, that confidential clinical and financial data was not accessed.

It's not clear at this point on the method of the attack, but the motive clearly appears to be financial. Although the group did not go into detail on specifics of the attack (as the investigation is on-going), a spokesperson for the firm said that it was “very clear” that the hacker wanted financial settlement.

The firm told SCMagazineUK.com that it contacted police about the matter on April 3, “within days” of the attack. The company has since advised the Information Commissioner's Office about the incident.

Company chairman Peter Boddy has written to the people affected to apologise for the data breach:

“We recently became aware that an unknown individual had deliberately bypassed our website security, gaining access to information from initial website enquiries in an attempt to extort money from the company.

“…We acted immediately to deal with this situation. We have informed the police and will continue to provide whatever assistance that they may require to track down the perpetrator of this illegal act, and are also informing the Information Commissioners Office.”

An ICO spokesman added in an email to SC: “We have recently been made aware of a possible data breach involving the Harley Medical Group. We will be making inquiries into the circumstances of the alleged breach of the Data Protection Act before deciding what action, if any, needs to be taken."

Bob Tarzey, an analyst at IT consultancy Quocirca, told SCMagazineUK.com that cyber-criminals could seek out healthcare records of the rich and famous in order to line their own pockets.

"In general terms our individual health details are of little interest to anyone other than ourselves and our families, so there is little incentive for thieves to steal such data as it cannot be monetised," he said via email.

"The exception to this is the health details of the rich and famous which could be used for bribery and embarrassment. Apparently, in this case, the aim was to blackmail the company; that has clearly failed as it has disclosed the breach, but they may still have some interesting stuff to try and sell to the press (the breach only involved inquiries not actual patient details). 

"That said, in the UK at least, with the level of press scrutiny at the moment, given that Harley has disclosed, any editor is unlikely to want to be seen as using such data. Harley should have kept such data safer, but it has been right to admit to the link."

Adrian Culley, an independent information security consultant and formerly of Scotland Yard's Computer Crime Unit, added that it is encouraging to see private companies - and the ICO - reacting so quickly to the attack, especially in light of the fact that some companies - including Target - have taken months to disclose a breach.

"Those responsible appear to have been attempting extortion based upon access to sensitive medical data. Again this highlights criminals seeking to exploit digital opportunity for profit wherever they can, blending conventional crime with technology," he told SC

"It is encouraging that both the Office of the Information Commissioner and Law and Enforcement have been contacted at the earliest opportunity."

Fellow researcher, Graham Cluley - once of Sophos - was more damming on the breach, and said that it should act as another wake-up call for companies to use layered-security with encryption.

"It's worrying to hear that the private medical information of thousands of people has been exposed by sloppy security," he told SC.

"Any organisations storing sensitive information have a duty to properly defend it with layered security, properly hardened websites and strong tough-to-crack encryption. If firms don't take steps to properly protect their customers' information they shouldn't be surprised if they take their wallets elsewhere."