Cyber Incident Victim: AFC Kredieten
Date:
Jul 2015
Location:
Belgium
Summary
A hacker group named Rex Mundi breached a Belgian loan company, stealing 24,000 financial records of loan applicants and threatening public release unless a ransom was paid. The attackers displayed a banner on the victim's website as proof of compromise, alleging the company had inadequate security measures. The organization refused to negotiate, asserting it bore no responsibility for applicant data since the affected individuals were not formal customers and claimed no reputational risk would occur from potential disclosure. The hackers stated their sole motive was financial gain, offering to delete stolen data upon payment while declining to confirm whether previous targets had paid ransoms.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In July 2015, Belgian loan company AFC Kredieten suffered a data breach orchestrated by the hacker collective Rex Mundi, who claimed to have stolen 24,000 financial records belonging to loan applicants. The group issued a public extortion threat, demanding payment by Friday at 8pm that week to prevent the full publication of the stolen data. As evidence of their compromise, Rex Mundi published a selection of personal records and defaced the AFC Kredieten website with a banner notification announcing the breach. The hackers asserted they had notified AFC Kredieten of the intrusion on Monday, yet the banner remained visible on the company’s site through at least Thursday afternoon. Rex Mundi characterized their targets as organizations with "mediocre IT security protocols or poorly-designed web applications," positioning AFC Kredieten as the 18th company they had attempted to extort under this rationale. The collective maintained a strictly financial motivation, emphasizing they provided victims an opportunity to pay for data deletion or face public exposure of the compromised information.
AFC Kredieten adopted a defiant stance, refusing to negotiate with the hackers and declining to characterize the affected individuals as customers. A company spokeswoman asserted that since the breached data belonged to loan applicants rather than approved borrowers, AFC bore no responsibility for safeguarding their information or notifying them of the incident. She stated, "AFC Credits is the victim here," framing the hack as an illegal act against the company alone and warning that media coverage could violate Belgian law. The organization dismissed concerns about reputational damage even if Rex Mundi followed through on its publication threat. Rex Mundi, for its part, declined to confirm whether any previous extortion targets had paid ransoms but reiterated its policy of permanently deleting stolen data upon receiving full payment, positioning their actions as a business transaction rather than an ideological campaign. The standoff left the 24,000 applicants’ personal and financial data in limbo, with no indication from either party that protective measures or disclosures would be extended to the affected individuals.