Ex-data analyst stole company data in $2.5M extortion scheme
A 27-year-old former data analyst contractor at Brightly Software (owned by Siemens) was convicted of stealing sensitive employee data and extorting the D.C.-based SaaS company for $2.5 million. The attacker, using the alias "Loot," leveraged his authorized access to pilfer payroll and personal information between August-December 2023, then threatened to leak the data and report the company to the SEC unless paid, resulting in partial Bitcoin payment of $7,540 before FBI arrest.
Summary
A 27-year-old former data analyst contractor at Brightly Software (owned by Siemens) was convicted of stealing sensitive employee data and extorting the D.C.-based SaaS company for $2.5 million. The attacker, using the alias "Loot," leveraged his authorized access to pilfer payroll and personal information between August-December 2023, then threatened to leak the data and report the company to the SEC unless paid, resulting in partial Bitcoin payment of $7,540 before FBI arrest.
Full text
Ex-data analyst stole company data in $2.5M extortion scheme By Sergiu Gatlan March 20, 2026 02:57 AM 0 A North Carolina man was found guilty of extorting a D.C.-based technology company while still being employed as a data analyst contractor. While a Justice Department press release published on Thursday doesn't name the victim, court documents reveal that he targeted Brightly Software, a Software-as-a-Service (SaaS) company previously known as SchoolDude, which Siemens acquired in August 2022. Brightly has been in business for more than 20 years, employs over 700 people, and provides intelligent asset management and maintenance software to over 12,000 clients worldwide, mainly in the United States, Canada, the United Kingdom, and Australia. As revealed in the indictment, 27-year-old Cameron Curry (also known as "Loot") took advantage of his access to Brightly's payroll information and corporate data to steal sensitive documents, which he used as leverage in an extortion scheme after learning that his six-month contract wouldn't be extended. One day after his contract ended on December 10, Curry began sending over 60 extortion emails to Brightly employees using the lootsoftware@outlook.com Microsoft email address and the Loot alias, threatening to leak sensitive information stolen between August and December 2023 unless he was paid a $2.5 million ransom. With the extortion messages, Curry also attached screenshots of spreadsheets listing the personal identification information (PII) of Brightly employees, including names, dates of birth, home addresses, and compensation information. He also threatened to report the company to the U.S. Securities and Exchange Commission (SEC) for failing to disclose the breach as required by law. "We will commence the process of disseminating salary information starting January 1,2024 in phases to all employees and will report you to the SEC after for not reporting the breach," Curry threatened in one of the extortion emails. "If you wish to reclaim your data, we recommend doing so promptly at 2.5 million USD in order to save your company and stocks, as each subsequent month will incur a $100,000 USD increase. Discrepancies in your books are currently over 16 million USD, posing a potential risk for retention issues, a hostile work environment, resentment, and more." Extortion email sample (Justice Department) Following Curry's numerous extortion emails, Brightly paid $7,540 in Bitcoin, which was transferred to a cryptocurrency wallet controlled by Curry. The FBI searched Curry's residence on January 24 after the company reported the incident and seized various electronic devices containing evidence of his extortion scheme. Curry was released on bond in January 2024 and now faces up to 12 years in prison for six counts of transmitting or willfully causing interstate communications with the intent to extort a victim company. Brightly also notified customers of a data breach unrelated to this case in May 2023 after attackers gained access to the database of its SchoolDude online platform and stole credentials and personal data (including names, email addresses, account passwords, phone numbers). Information filed with the Office of the Maine Attorney General revealed that the intrusion was discovered 8 days after the attackers breached Brightly's systems on April 20, and that the data breach affected nearly 3 million SchoolDude customers and users. Red Report 2026: Why Ransomware Encryption Dropped 38% Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded. Download The Report Related Articles: Ericsson US discloses data breach after service provider hackUH Cancer Center data breach affects nearly 1.2 million peopleExposed MongoDB instances still targeted in data extortion attacksFrom Cipher to Fear: The psychology behind modern ransomware extortion American Airlines subsidiary Envoy confirms Oracle data theft attack
Indicators of Compromise
- email — lootsoftware@outlook.com
- malware — Cameron Curry / Loot