Bank refuses to pay $3,000,000 ransom, hacker exposes customer account details

David bisson
David Bisson

BitcoinA hacker has published the account statements of hundreds of United Arab Emirates (UAE) bank customers after his $3 million ransom demand went unfulfilled.

SC Magazine reports that beginning on November 18th, an individual known only as “Hacker Buba” began tweeting offers to “Sell #sql from #database” from Invest Bank, a financial institution based in Sharjah, UAE.

The stolen data was said at the time to total 900GB in size and to include the names, credit card information, and financial details of Invest Bank customers.

The hacker stated that he would remain silent about the hack if he were to receive approximately $3 million USD worth of Bitcoin from Invest Bank.

Sign up to our free newsletter.
Security news, advice, and tips.

But the bank refused to budge.

“Yes, there was a data breach and we have been contacted by Hacker Buba. He is asking for money but I cannot reveal how much. This is blackmail. We have reported the matter to UAE Central Bank. The Telecom Regulatory Authority’s Computer Emergency Response Team is investigating,” the bank’s chief financial and operating officer told XPRESS. “We won’t give in to any extortion threat. In any case there has been no financial loss. All that this man has is some customer information and he’s trying to use it as a bargaining chip.”

Determined to secure his ransom, Hacker Buba contacted XPRESS and offered five percent of the profits he would make by successfully extorting banks he allegedly held in Qatar, UAE, and elsewhere to the journalist who broke the Invest hack story.

All the reporter needed to do was to help him convince Invest Bank to pay the ransom. (How exactly the reporter would have gone about to do this is unclear.)

Xpress report

By November 23rd, Hacker Buba had not received his ransom payment, and Twitter had shut down his original handle @hacker_invest.

But this didn’t stop the extortionist. He simply created another Twitter handle and began tweeting out the account statements of 500 Invest Bank clients.

The files – some of which were Excel spreadsheets, while others appeared to WIRED to be entire SQL databases – contained credit card transactions, credit card numbers, authorization codes, and the amounts of purchase. No names were included, however.

The balances of some 50,000 bank cards were also purported to have been exposed. Some of these accounts contained up to $12 million USD individually, with their sum totalling up to $110 million.

Customers have expressed outrage at having their banking details leaked online, especially considering the fact that some of them were not notified about the breach until the newspaper contacted them for comment.

As I have written in the past, direct and timely communication is imperative when it comes to a company’s post-incident response. Let us hope the reports that the bank failed to notify its customers of the hack before the Twitter breach are false.

If they are true, however, I anticipate this lack of communication will hurt Invest Bank’s reputation much worse and for far longer than the actual breach will.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

2 comments on “Bank refuses to pay $3,000,000 ransom, hacker exposes customer account details”

  1. Simon

    I'm at two minds on this.

    It's good Invest Bank didn't give into extortion as it only encourages others.

    HOWEVER, not having the right mitigations to prevent this from occurring is very bad. Probably just as worst is their customers finding out from a 3rd party.

  2. Spryte

    there has been no financial loss. All that this man has is some customer information and he's trying to use it as a bargaining chip.

    With that kind of attitude if I was a customer at that bank, I wouldn't be any longer!!
    Names, Account numbers. Credit Card information… All published on-line.

    I'd be pretty pissed off. And to find out about it in the news media, even worse.

    I do agree with the bank not paying (as Simon mentions above) but first let the customers know so they can cancel cards and put a watch on their accounts.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.