A group of hackers has attempted to extort €150,000 from Belgian bank Belfius by blackmailing the bank over hacked data.
The hackers said in an online ransom note that if they were not paid by Friday, they would release the data of customers of Elantis, taken from a compromised server. Elantis is a mortgage and consumer credit company owned by Belfius.
"While this could be called 'blackmail', we prefer to think of it as an 'idiot tax' for leaving confidential data unprotected on a web server," said the ransom demand.
The hackers claimed to have accessed database tables containing unencrypted and unprotected data from loan applications such as applicants' full names, jobs, ID card numbers, contact information and details about their income.
Belfius told ZDNet UK on Friday that it had informed the Federal Computer Crime Unit in Brussels and local police in Liege of the extortion attempt. Up to 3,700 customers and brokers may have been affected, and they have been informed of the probable breach, said the bank.
"We say this is blackmail," Belfius spokeswoman Moniek Delvou said on Friday. "The ransom has to be paid today... We will not pay."
The hackers sent Elantis an email last Friday demanding the money, saying that they had got hold of details of Elantis brokers and customers. Elantis reacted by immediately shutting down its servers, said Delvou.
The data that was likely to have been stolen consisted of online mortgage and credit application quotes, said Belfius.
Belgian police have launched an investigation, and Belfius has engaged a US security company to conduct an internal enquiry. Delvou said the bank could not comment on how the hackers had managed to break in.
While this could be called 'blackmail,' we prefer to think of it as an 'idiot tax' for leaving confidential data unprotected on a web server.
– Ransom demand
The bank said that as the Elantis and Belfius servers were separate, Belfius customers were in "no danger". "Elantis is the [company] that has been hacked," said Delvou. "There is no link between the servers of Elantis and Belfius." The bank said that it would deal with the situation should the hackers post the information.
"Are they going to post the data or not? We don't know for the moment," said Delvou.
A spokeswoman for the UK Metropolitan Police told ZDNet UK that to the knowledge of the Police Central e-Crime Unit, no UK banks had ever been held to ransom over stolen data.
UK financial services trade body the Payments Council said that should any financial services receive extortion demands, they should go the police.
"If ever such a scenario were to happen in the UK, the correct route would be for the organisation to contact the police, as this would be viewed as a criminal matter," said a Payments Council spokesman. "Therefore the organisation best placed to deal with such a thing would be the Police Central e-crime Unit (PCeU), which is run by the Metropolitan Police."