The Tribune

By NEIL HARTNELL

Tribune Business Editor

nhartnell@tribunemedia.net

Hackers are trying to extort $30,000 from the Bahamas-based Fidelity Group of Companies, which yesterday moved to reassure clients there had been no widespread leak of personal financial data.

Anwer Sunderji, Fidelity’s chairman, confirmed to Tribune Business that a group called ‘Hack for Trump’ had contacted it and demanded a ransom payment for not publicly releasing the hacked data via the Internet.

He emphasised that the group, which claims it will use the payment to finance Donald Trump’s US presidential campaign, had admitted itself that it had been unable to access the sensitive personal financial data that Fidelity held on its customers.

Mr Sunderji told Tribune Business that the group appeared to have hacked an external server that hosts Fidelity’s public website, adding that it holds “minimal information”.

Contacted by this newspaper after it was e-mailed by ‘Hack for Trump’, boasting about what it had accomplished, the Fidelity chairman said: “We’re not going to pay them $30,000. It’s blackmail; a shakedown.

“They hacked a vendor’s server, and got some information that’s not terribly important to us, saying that unless we pay them $30,000 they’re going to distribute it to the media.”

Mr Sunderji confirmed that Fidelity had contacted both the Royal Bahamas Police Force and the Central Bank of the Bahamas, given that it had fallen victim to a criminal offence.

Reassuring Fidelity’s hundreds of clients, he told Tribune Business: “We know that none of the data we have got compromised.

“They [Hack for Trump] say themselves, they confirmed, that they weren’t able to break into our servers. They got our personnel evaluations and they got e-mails that were received via our general information address on our website.”

Mr Sunderji said the only possible exposure was “minor”, and involved the possibility that “a very small number of customers” may have e-mailed their account or policy numbers to the general e-mail address on the website.

‘Hack for Trump’s small financial demand implies that it has obtained little of significance. And, given that the US billionaire mogul has advertised his presidential campaign as self-financing, it is clear that there is no connection between Donald Trump and the hackers, or that they would send their extortion proceeds in his direction.

The hackers’ e-mail to Tribune Business read: “Our name is Hack For Trump and we wish to inform you that we hacked the website of Fidelity Group (fidelitygroup.com), an offshore bank with offices in the Cayman Islands and in the Bahamas.

“We did not get access to their customers’ financial data, but we managed to dump three databases serving their main website. This data contains various confidential details about the bank, as well as hundreds of e-mails sent by prospective and existing customers, both local and foreign ones.

“We demanded $30,000 from Fidelity Group, payable before Friday September 18, in exchange for not posting their databases on the Internet.

“If Fidelity does pay us, we plan on using those funds to help Donald Trump get elected to the White House, as he is the only candidate who can restore America to its former glory.”

Mr Sunderji, in his letter to regulators, confirmed that Hack for Trump had contacted the bank last Friday with its extortion demands.

He wrote: “For the avoidance of doubt, the information that was apparently obtained was not accessed from Fidelity’s own internal servers, which house confidential data, but rather from an external hosting server which hosted Fidelity’s public website.

“We have analysed the data that resides on this server, and it holds minimal information. We do understand that there is the potential that a very small number of customers may have e-mailed the bank via the website with their account or policy numbers within the body of their e-mail, and that those e-mails may have been accessed.

“However, as mentioned above, given that the server accessed was the bank’s vendor’s server the exposure is very minor and we have reached the following conclusions.”

Detailing these, Mr Sunderji said: “One, only the webserver at our vendor’s location was compromised.

“Two, none of Fidelity’s secure servers which host client, banking, insurance or other information were compromised.

“Three, no customer logins or other security details were compromised.

“Four, the information that was compromised is primarily comprised of internal staff reviews and general inquiry e-mails that were sent to Fidelity through its website.”

Mr Sunderji concluded: “Fidelity has not succumbed to the blackmail demand and we have, over the past week, taken all reasonable steps to ensure that client data has not been compromised.

“We will continue to monitor our own servers and will continue to ensure that appropriate Internet security measures are in place.”

The episode, though, serves as a warning reminder to Bahamian companies about the enormous financial and reputational damage that can be inflicted by hackers and data breaches that release confidential, personal and financial data.

Companies such as Target, J. P. Morgan Chase and Ashley Madison have all fallen victim in recent years to data theft, which can be exploited by criminals to for purposes of financial fraud and identity theft.