Hackers Steal, Post Financial Data From Major CorporationsAfter Citycomp Refuses to Pay Ransom, Cybercriminals Post Customers' Data Online
Cybercriminals have stolen customer data from a German IT company whose clients include Oracle, Volkswagen, Airbus, Ericsson, Toshiba British Telecom and many others. When the IT company, Germany's Citycomp, refused to pay a ransom, the hackers posted the data online Tuesday, the company confirms.
A public-facing website apparently established by the cybercriminals claims to contain data stolen from Citycomp and lists the clients affected.
The cybercrime gang apparently responsible for the attack claims to have published a total of 516GB of "financial and private information" that encompasses 312,570 files within 51,025 folders, according to the website. The data, which is available for free download, has also been uploaded to the dark net, the website claims.
Citycomp has notified German law enforcement, including the State Office for Criminal Investigation Baden-Württemberg, of the hack, which occurred in early April, says Michael Bartsch, the executive director of Deutor Cyber Security Solutions, a crisis management and security firm working on behalf of Citycomp.
"Citycomp Service GmbH has successfully fended off a hacker attack and does not yield to blackmail," Bartsch, tells Information Security Media Group. "The repercussion is the publication of the stolen customer data."
Affected Companies Notified
Bartsch says it's not yet clear who is behind this incident or how the attack occurred. Citycomp has implemented additional security measures in the wake of the attack and has notified all customers whose data was affected, he adds.
"The stolen data has now been published by the perpetrators, and Citycomp's customers were informed about it," Bartsch says. "In cooperation with the State Office for Criminal Investigation Baden-Württemberg, suitable measures for prosecution were initiated. At an early stage, Citycomp was transparent and informed the relevant data protection authorities and customers about the cyberattack and data theft. Full transparency was in place right from the start."
So far, no other internal systems or customer data has been compromised, but some systems have been taken offline so police can examine them, Bartsch says.
In several cases, the customers listed on the cybercriminal's site have the letters "GmbH" attached to their files, which is a German designation for a limited liability company, so it appears the data might refer to the German-based offices of these companies, according to Motherboard, which first reported on the hacking and leaked data.
The attackers sought $1 million in ransom, half in cash and half in bitcoin, according to the German publication Spiegel Online. The attackers demanded the money directly from Citycomp and not its customers, the publication reports.
Dumping Data and Paying Ransom
Criminal gangs increasingly are stealing data from corporate networks and then demanding money to refrain from publishing it.
For instance, in late 2018, Australian defense contractor Austal was subjected to this type of extortion when a group calling itself "Joker" stole data (see: Australian Shipbuilder Hacked, Refuses to Pay Ransom). Austal ignored the group's demands and contacted local law enforcement.
Security experts and law enforcement officials, including the FBI, recommend that cyber extortion victims never pay a ransom, warning that doing so directly funds cybercrime. Some victims who pay ransoms also get targeted again by the same attacker, demanding yet more payoffs (see: Please Don't Pay Ransoms, FBI Urges).
"The FBI does not condone payment of ransom, as payment of extortion monies may encourage continued criminal activity, lead to other victimizations, or be used to facilitate serious crimes," Christopher Stangl of the FBI has told ISMG.
Businesses of all sizes, however, face an ethical dilemma when it comes to paying ransom for data, especially if the incident could lead to the company closing its doors, says Nathan Wenzler, the senior director of cybersecurity at Moss Adams, a Seattle-based consultancy.
"If the ransom itself is less than the value of the data or system that has been compromised and the related recovery costs, then the business may decide that it's worth it to simply pay the ransom," Wenzler tells ISMG. "Ultimately, this is a business risk decision, and if the cost to recover is too high, then it may pose less risk to the organization to take a chance on the attacker upholding their end of the arrangement and simply pay the ransom."