Earlier this week, the Washington Post reported (via Wikileaks) that hackers had compromised a Virginia state prescription web site, deleted the eight million records and replaced the home page with a ransom note.
The ransom demand, $10 million.
Apparently, this isn’t the first case of datanapping, which doesn’t surprise me. I am surprised that I don’t remember seeing cases like this in the past.
I guess they are kept quiet up for good reason.
On the other hand, it’s pretty frequent to hear about laptops with sensitive data going missing or being stolen, but I’ve always wondered where the data go. I figure in most cases, laptop thefts are smash-and-grab crimes that are meant to turn a quick buck. The perpetrator doesn’t bother to scan for useful data.
After all, if you were given someone else’s laptop right now and told to find something useful, how long would it take you to give up in frustration. Think about your own machine. You’d have to sift through a mind-numbing amount of useless crud before finding anything remotely useful.
Please tell me you don’t have a password.doc file on your desktop.
Still, when personal information goes missing like that, don’t you wonder how easy or hard it would be to find it. Even if you knew what the prize was, it might not be easy to find.
Datanapping is quite the opposite.
These criminals knew what they wanted to get and how they planned to profit, which requires a lot of planning, and either a tipster/insider or a scanner to find a vulnerability they could exploit.
Although I doubt the investigation will get much coverage, I’m curious to follow it, especially if they catch the bad guys. Precedents in technical cases are being set nearly every month it seems, and I wonder how sentencing would go in a case like this one.
Anyway, no real point here, just an interesting tidbit.
Find the comments to add your two cents, or more.
Side note: I found a bunch of cool sites that generate ransom notes. I used this one. Spell with Flickr was pretty sweet, too.
Had a laptop out of the work 'pool' once. It was previously used by one of the HR/recruitment people, and had lots of fun stuff about job offers, salary increases…
And it doesn't take too long to find. Mail caches (eg PST files) are pretty easy to open, and can quickly be sorted by email address. There's a whole bunch of desktop tools that index documents, spreadsheets etc, which could pretty easily show up SSN, credit card numbers etc.
Passwords for websites stored by the browser could be useful. Also passwords for wireless networks.
Selling corporate info (apart from credit cards) would probably be a bit trickier. How easy would it be to approach a competitor company to offer them stolen data. The blackmail route seems a lot easier.
Yeah, not that hard to do, but you knew where to look (b/c it came from your company) and had time. It's an investment of many hours to scour a laptop.
Just seems like in smash/grab or found cases, a quick buck is better than effort invested with no promise of a reward.
I wonder if there's anything like a computer chop-shop where they automate this type of stuff and take a cut.
Thinking about the datanapping, I also wonder about how you could sell corporate data to a competitor. That would be an awkward discussion.