Hackers Find Bugs, Extort Ransom, Call It a Public Service

Reader msm1267 shares a report on ThreatPost about an ongoing security trend: Crooks breaking into enterprise networks are holding data they steal for ransom under the guise they are doing the company a favor by exposing a flaw. The criminal act is described as bug poaching and is becoming a growing new threat to businesses vulnerable to attacks.
Hackers are extorting companies for as much as $30,000 in exchange for details on how hackers broke into their network and stole data. Researchers say once the intruders steal the data, there's no explicit threat that they will break in again or release data if companies don't pay. Instead, attackers release a simple statement demanding payment in exchange for details on how to fix the vulnerability
Typical bug poaching incidents start with criminals breaking into a network and stealing as much sensitive data as they can. Next, they post the data to a third-party cloud storage service. Lastly, the attackers email the company links to the data as proof the information was stolen and ask for a wire transfer of money in exchange for how the data was stolen.
During the attack, victims are not threatened with the public release of their data, instead attackers simply send a message that reads: "Please rest assured that the data is safe with me. It was extracted for proof only. Honestly, I do this job for a living, not for fun."

Re:Work both ends...like the cable companies

[Gavagai80]

If it's genuinely not about the money, demand that the company donate the specified amount to a specified charity.

Clever.Hacking less of a crime than blackmail?

[evolutionary]

Technically, prosecutors can't charge blackmail because they haven't said your data will be exposed unless you pay. They are only asking to be paid for how to patch the security flaw. (White hacking + data extraction) Of course the idea is to add "incentive" with the data being in public, unauthorized space. But they haven't said it would be leaked unless payment is given (or only take it down on the same terms). Of course the victim could turn that around and say, "before we discuss the merit of your services, let's say you remove all files the files I own from your server, allow me access that I may be satisfied to the fact it is destroyed and no spare copies exist, you tell me how your broke into my system and how to patch it up and in exchange I don't send your name, and your communications to me to the cyber crimes division of the FBI, it's a bargain considering the alternative, and some free advice in return for your assistance...stop short of actually stealing files before asking for a fee for your proactive "good citizenry". Appreciate your efforts".

Re:"honestly"????

[wierd_w]

Be careful with those bandwagon fallacies.

Like all actions undertaken by people, the issue revolves around motive.

If Motive == "Personal enrichment" Then
      ExtortMoney="true"
      SellStolenData="true"
Else
    If Motive=="End-User security improvement" then
            If LegitimateEthicalDisclosureSuccessful="True"
                        ExtortMoney="false"
                        SellStolenData="false"
                  Else
                        ExtortMoney="True"
                        SellStolenData="false"
            End if
End If

EG, the extortion is just a means to compel the obstinate corporation running the grossly insecured system into actually taking SOME action besides "sue and ignore".

When enough well meaning grey hats get "sued and ignored" for Big Corporate Profits, expect their tactics to change to less benign methods than just simple "uhm, hey guys-- You totally have all your shit on a public facing anon FTP server. I can see all your exchange server's dirty laundry. Consider fixing it, m'kay?" into a "Look bros, Not only are you stupid fucks that treat user data like its nothing, you left all your dirty, illegal practices open to public scrutiny by being idiots with your security. Here's how you should properly secure that shit-- Now pay me 30k for the service."

And, if the idiots running these shitty services continue balking about having to actually do things right, expect it to escallate even further to "If you blow me off, I will give the data to somebody who could actually use it." which is the next logical step.

I have done some grey-hat things, (I have literally stumbled across servers that were not intended to be internet facing, that contained privileged data. Thankfully they were from research groups and universities, not corporations. Google indexes LOTS of interesting places.) but I did not exploit that-- I found ethical disclosure to the site operator was sufficient. From what I have been reading though, corporations tend to sue first, and thank never. Instead of getting friendly letters alerting them to the issue, they have forced people to have to hold the data hostage.