[BreachExchange] How hackers demanding seven-figure bitcoin ransom stole 20, 000 sets of credit card details

Destry Winant destry at riskbasedsecurity.com
Wed Nov 8 16:09:24 EST 2017


http://www.scmp.com/news/hong-kong/law-crime/article/2118998/how-hackers-demanding-six-figure-bitcoin-ransom-stole-20000

Hong Kong-listed Worldwide Package Travel Service, founded in 1979,
said it could not estimate the losses or how long it would take for
the issue to be resolved, adding that it rejected the attackers’
seven-figure ransom demands.

Its chief executive said customers who paid for trips would still be
able to continue with their journeys, and people who wanted to buy
holidays with them still could – albeit using technology from “30 or
40 years ago”.

More than two days after its database was compromised, the firm’s
executives came out on Wednesday to give an account of the incident.
Chief executive Yuen Chun-ning, chief financial officer Queenie Hon
and IT manager Edmond Lai bowed in front of the cameras before
apologising to affected customers.


Yuen said hackers told the company on Monday morning that the system
had been breached.

The database, which handles company operations from reservations to
payment, held the personal information of about 200,000 customers.

Yuen said about 10 per cent of the customers – 20,000 people – had
their credit card details stolen. The hackers also took people’s phone
numbers, passport information and Hong Kong identity card numbers, and
addresses.

A police source said it seemed the hackers broke into the computer of
the agency’s head of IT and then broke into the company server.

“Through the server, hackers changed the passwords of users and made
[their accounts] inaccessible,” the source said.

The hackers left an email for bosses to communicate with them.
According to Yuen, the hackers demanded a seven-figure ransom, to be
paid in bitcoin. Yuen did not say what they offered to do in return
for the ransom, but in similar cases, hackers will usually offer to
unlock the data upon receipt.

It was understood that Yuen bargained with the hackers over email. The
company had backup files of the data stored in the computers.

“After deliberations with our board of directors, we decided not to
pay the ransom,” Yuen said.

“Not only do we not trust hackers, we believe this kind of behaviour
should not be encouraged.”

Yuen said the company regularly upgrades its system security, which
was inspected by a third-party contractor earlier this year.

He refused to disclose the identity of the hackers or the method they
used, citing an ongoing police investigation. He said only that it was
an “unusual” method, not commonly heard of.

Affected customers would be notified as soon as possible, he pledged,
but he said the company had not heard of any financial loss as of
Wednesday.

By Wednesday, the company website was still suspended, but its four
branches had reopened their doors after shutting for the whole of
Tuesday.

“We still accept customers who wish to sign up for tours, but this
will take some time. Imagine how things were done over the phone 30 or
40 years ago,” Yuen said. The company specialises in package trips to
Japan.

Two cybersecurity firms were working with police to find the attackers
and fix the damage they did to the database. If that fails, customer
information will have to be inserted manually from paper records, Yuen
admitted.


More information about the BreachExchange mailing list