In recent days, the Medusa ransomware group has published the name of a new victim, Rent 2 Own, on its .onion blog.
Rent 2 Own is a U.S.-based company offering a rent-to-own service for products such as furniture, electronics, appliances, and more, with over 40 retail locations.
As evidence, Medusa released a series of 31 documents containing sensitive customer data from individuals who made purchases over the years through distribution networks in the states of Ohio and Kentucky. The data reviewed by SuspectFile.com includes:
Renters’ details:
- First name and last name
- Date of birth
- Gender
- Full address
- Home phone number
- Mobile number
- Driver’s license number
- Social Security number
Co-Renters’ details:
- Co-Renter’s name
- Date of birth
- Gender
- Driver’s license number (in some cases)
- Social Security number (in some cases)
Renters’ Employer details:
- Company name
- Job title
- Full address
- Phone number
Note: full names and phone numbers of three personal references are present in all customer records. Additionally, payment frequency, payment amounts, and due dates are listed.
Here are two examples of the forms that Rent 2 Own uses to store, without any protection, the sensitive data of its customers, which we know to be nearly 50,000.
Screenshot and redaction by SuspectFile.com
Screenshot and redaction by SuspectFile.com
The deadline set by the group is January 18. If Rent 2 Own does not pay a ransom of $200,000 by that date, the data will be made public on the Medusa Telegram channel.