Cyber Incident Victim: London Bridge Plastic Surgery
Date:
Oct 2017
Location:
United Kingdom
Summary
Hackers known as The Dark Overlord breached a London-based plastic surgery clinic, stealing terabytes of sensitive patient data including graphic surgical photos, databases, and personal information, which they claimed involved high-profile individuals such as royals and celebrities. The clinic confirmed the cyberattack, engaged law enforcement, and acknowledged data theft but was still investigating the full scope. The attackers threatened to publicly release the entire patient list with corresponding photos, taunting victims and sharing explicit images with journalists to demonstrate their access. The group, previously linked to breaches of U.S. medical centers, schools, and Netflix-related studios, maintained possession of the stolen data but had not yet disseminated it publicly at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around October 17, 2017, hackers identifying themselves as The Dark Overlord breached the systems of London Bridge Plastic Surgery (LBPS), a prominent London-based plastic surgery clinic near Marylebone. The attackers stole terabytes of sensitive data, including graphic surgical photographs depicting in-progress genitalia and breast enhancement procedures, post-operative patient images (some showing identifiable faces), internal databases, and comprehensive patient lists. The Dark Overlord claimed the stolen data included records of royal family members and British celebrities, referencing tabloid reports of stars like TV personality Katie Price being LBPS clients. To substantiate their claims, the hackers contacted a Daily Beast reporter using an LBPS email account and provided a cache of exclusive surgical photos. These images featured LBPS’s chief surgeon, Chris Inglefield, wearing his signature multicolored head scarves—details consistent with his public photos on the clinic’s website. Reverse image searches confirmed the photos were not publicly available prior to the breach. The group taunted victims and journalists, mocking specific surgical images and threatening to release the entire dataset publicly, stating they would “pitch it all up for everyone to nab” to expose patients globally.
LBPS detected the breach promptly, implementing immediate measures to block further unauthorized access and engaging IT experts to assess the intrusion. The clinic reported the incident to the Metropolitan Police on October 17, triggering an investigation by the Met’s Organised Crime Command. In public statements, LBPS acknowledged the security compromise and data theft but emphasized ongoing efforts to determine the full scope of exfiltrated information. The Dark Overlord’s history of extortion—including prior attacks on U.S. medical centers, schools, and a Netflix-linked production studio—raised concerns about potential data distribution or ransom demands, though no public release occurred by the time of The Daily Beast’s October 23 article. The breach risked severe reputational harm to LBPS and profound privacy violations for patients, whose sensitive medical images and identities were exposed. Police inquiries remained ongoing with no arrests announced. The clinic faced intensified scrutiny due to its high-profile clientele and the graphic nature of the stolen data, compounding operational and legal repercussions.