Company Pays $300K Ransom To Ex-Employee Who Stole Personal Data of Millions

An ex-employee has been paid at least $300,000 ransom by his former employer, after claiming he stole the private data of more than a million customers, as well as thousands of employees.

The employer, Asurion, is a global phone insurance and tech support company based in Nashville, Tennessee, and the suspect has been identified by the FBI as former Asurion employee Nicholas Burks, of Antioch, who was fired by the company in March.

As reported in the Tennessean, Burks claimed in an anonymous email that he had more than 100 terabytes of Asurion's 'sensitive data', including more than a million customers' names, addresses, phone numbers and account numbers, and thousands of employees' social security numbers and banking information.

"At this point, there is no evidence to suggest that sensitive customer data has been compromised," said Asurion spokeswoman Nicole Miller, after Burks threatened to pass on information to media outlets and Asurion's competitors if he was not paid $350,000 in bitcoin within 24 hours.

"Based on our review," Miller continued, "the person had limited information regarding a small number of employees, as well as general company information. We are supporting our employees through identity theft protection services."

According to an FBI search warrant application, "the extortion scheme began when seven Asurion executives received an anonymous email threatening to release corporate information ... To prove he wasn’t bluffing, the extortionist attached samples of the corporate documents, including social security numbers of some employees ... The suspect(s) concluded his email by stating that his only motivation was money."

At the same time Asurion launched an internal investigation and contacted the FBI, the company paid daily amounts of $50,000 as a way to stall 'the extortionist'. During this time, the internal investigation revealed that a corporate laptop was missing and Burks was the last known user. It was then discovered the laptop had accessed the corporate network numerous times in the days before Burks' dismissal.

When Burks had been identified as a possible suspect, law enforcement tailed him in the hope he would confirm their suspicions. This he did when a law enforcement officer watched Burks as Asurion paid him $5,000. Burks typed something on his phone and moments later Asurion received an email from Burks demanding more money.

. . .

If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.