Hacker Group Demands "Idiot Tax" From Payday Lender

snydeq writes "Hacker group Rex Mundi has made good on its promise to publish thousands of loan-applicant records it swiped from AmeriCash Advance after the payday lender refused to fork over between $15,000 and $20,000 as an extortion fee — or, in Rex Mundi's terms, an 'idiot tax.' The group announced on June 15 that it was able to steal AmeriCash's customer data because the company had left a confidential page unsecured on one of its servers. 'This page allows its affiliates to see how many loan applicants they recruited and how much money they made,' according to the group's post on dpaste.com. 'Not only was this page unsecured, it was actually referenced in their robots.txt file.'"

Re:Strange sense of morals

[Bert64]

It's not stealing, since they didn't delete the original file...

By putting a file on a public webserver, they were PUBLISHING that data. Wether they did so intentionally or not is irrelevant, they did publish it.

Anyone who accessed it did nothing wrong, they were simply using the website for the function it was intended, to access data made available to the public on it. They did not have to exploit any vulnerable services, nor did they bypass any form of access control.

The fault lies purely with the company for publishing such information.

The only thing the "hacking" group have done wrong is the attempted blackmail, they got the actual information fair and square.

Re:Strange sense of morals

[EdIII]

Even if they did delete the original file it would not be stealing, but destruction of property.

Thank you for pointing out the flaw in the open door analogy that always gets trotted out. Although intent does play a factor, the important word in the law is "unauthorized" or whether or not actions "exceeded authorization".

Web servers are not open doors, and they are not like TRON.

They simply serve documents. Sometimes they will ask for security credentials before serving the document, or check internal policies (htaccess/session based authorization and ACL), but always end up serving a document even if it is a simple response in a header like a 404.

The only thing these hackers did was ask for a file (robots.txt) and notice that it mentioned another file and then asked for it directly.

"Exceeded authorization" would be an interesting argument because computers always do what you tell them to do, not what you meant for them to do. So while this company may not have intended to give authorization, they did in fact, give authorization to download the file. At the very least, they did not deny the hackers the ability to download the file, and were at no time confused about the identity of the hackers (representing public users).

If there is any appropriate analogy here it is that the company had a moron executive walking around with a briefcase full of business data, some random person asked if it was the business data and if they could have it, and the moron executive said why not, here it is. After the fact, random person contact company, informs them of said stupidity, and attempts to assess "idiot tax".

Idiot tax is highly appropriate here.

I would not prosecute these so-called hackers for computer crimes, but simple extortion.

Re:Strange sense of morals

[tehcyder]

If those hackers get caught and fined

These geniuses will get more than a fucking fine if they're caught. Blackmail and extortionare serious criminal offences, so fthey'll be spending some quality time in prison.

Re:Strange sense of morals

[10101001+10101001]

That is like saying that if I drop my credit card in the street I have "published" its details for everyone to see due to my own carelessness.

More accurately, it's like accidentally posting a photocopy of your credit card on a bulletin board, presumably with a variety of other documents.

I really hope people like you get their bank accounts cleared out by criminal twats like these idiots, then you'll see whether "just copying" information is so fucking harmless.

Interestingly enough, if you were to do the above and be so careless, I'm not entirely sure if the bank would be obligated to refund your money. Certainly, most banks/credit card companies have policies speak about only 24 hours to report "stolen" credit card information to maintain minimal liability on the card holder's part. Having said that, the criminal is still, well, criminal.

Want to share your bank login and password information with me?

Considering the GP didn't speak about "just copying" information being harmless, I'd gather the answer is no. After all, the point isn't that blackmail or clearing out someone else's bank account isn't illegal and unethical/immoral. It's that one can't charge the person with "hacking" just because you're careless anymore than you could charge people with theft because they took a photo of your photocopied credit card. I mean, a lot of people may have accessed the information and done little or nothing with it; but certainly, there's a lot of legal things you could do, like mock the person who was so careless with their personal/company details.