Rex Mundi exposes thousands of customer details after payday lender AmeriCash refuses to fork over ransom

Hacker group Rex Mundi has made good on its promise to publish thousands of loan-applicant records it swiped from AmeriCash Advance after the payday lender refused to fork over between $15,000 and $20,000 as an extortion fee -- or, in Rex Mundi's terms, an "idiot tax."

The group announced on June 15 that it was able to steal AmeriCash's customer data because the company had left a confidential page unsecured on one of its servers. "This page allows its affiliates to see how many loan applicants they recruited and how much money they made," according to the group's post on dpaste.com. "Not only was this page unsecured, it was actually referenced in their robots.txt file (bad, bad move, guys)."

Rex Mundi not only used the post to chastise AmeriCash for purported lackluster data security, it also took a swipe at the company's business model, criticizing it for targeting low-income workers with "vastly overpriced" loans. AmeriCash's APRs (annual percentage rates) range from 353 percent on up to 1,368 percent.

Rex Mundi isn't the first hacker group to claim the moral high ground when choosing targets. A group called UGNazi leaked and deleted customer data stolen from online billing service provider WHMCS last month, accusing the company of providing services to known scammers. Also last month, a group called The Unknowns revealed it was exposing security holes in the IT systems of prominent organizations such as NASA and branches of the U.S. military to force them to improve their defenses.

However, unlike the aforementioned groups or, say, Anonymous, Rex Mundi has acknowledged that money is a motivator. "We <3 hacktivists like @AnonymousPress. However, we're in it for the money, which is also pretty awesome," the group tweeted last week.

In a statement to Cnet, AmeriCash acknowledged that its servers had been breached and the hacker group had attempted to extort a ransom in exchange for not publishing the stolen customer data. "On June 12, AmeriCash Advance received a fax, telling us that part of our website had been hacked. The letter went on to demand initial payment of $15,000 from us. We immediately notified the appropriate authorities and promptly took steps to ensure that no other data could be accessed. We will not cave in to blackmail, and are cooperating fully with the authorities to protect our customers and bring these criminals to justice."

The statement went on to say that AmeriCash notified those who had been affected and warned them to be vigilant, as the stolen data could be used in phishing attacks. The stolen data includes customers' names, their email addresses, the last four digits of their Social Security numbers, and the names of their financial institutions.

Rex Mundi appears to have been on a tear of late as it follows a similar template. The group claims to have stolen data over the past couple of months from organizations, including a loan company called Elantis and a temp agency called AGO-Interim. The group's modus operandi evidently includes publicly criticizing its targets' lackluster security and business practices.

For example, the group posted the following regarding its hack of AGO-Interim: "After having penetrated the servers of Elantis -- a Belgian loan company -- last month, we decided to set our sights on temporary work agencies. Why? Well, because those guys make an outrageous amount of money by exploiting under-skilled workers. (And also because they typically do not spend much when it comes to securing their Web applications ...) We quickly noticed that the website of AGO-Interim ... was completely unprotected against client-side attacks."

The hacker group claims to give its targets a deadline to fork over a ransom -- an "idiot tax" -- in exchange for not publishing the entirety of the data it steals. It demanded €35,000 (around $44,000) from Dexia Bank, Elantis' parent company. According to reports, Dexia claimed it did not pay the ransom, yet Rex Mundi did not post the institution's stolen data. AGO-Interim was not so fortunate; Rex Mundi posted data related to some 10,000 data applicants on June 13.