A data breach at a Lithuanian cosmetic surgery clinic has resulted in 25,000 private photos, including nude pictures, being posted online.

The criminal group, which calls itself โ€œTsar Teamโ€, hacked the servers of the Kaunas-based Grozio chirurgija clinic earlier this year and demanded 300 bitcoin โ€“ about โ‚ฌ730,000 โ€“ which it called โ€œa โ€˜small penalty feeโ€™ for having vulnerable computer systemsโ€. The clinic refused to pay.

Patients, reportedly including a number of celebrities, were also blackmailed, with the criminals demanding bitcoin payments of between โ‚ฌ50 and โ‚ฌ2,000 depending on the sensitivity of the data, which included passport and credit card details, national insurance numbers, and nude โ€˜beforeโ€™ and โ€˜afterโ€™ surgery pictures.

โ€œClients, of course, are in shock. Once again, I would like to apologise,โ€ Jonas Staikunas, the director of Grozio chirurgija, told local media. โ€œCybercriminals are blackmailers. They are blackmailing our clients with inappropriate text messages.โ€

When the extortion demands were not met, the group released the entire database.

The clinic has warned its patients not to engage with the blackmailers, but to inform the police immediately. Lithuanian police say dozens of victims have already come forward.