A data breach at a Lithuanian cosmetic surgery clinic has resulted in 25,000 private photos, including nude pictures, being posted online.

The criminal group, which calls itself “Tsar Team”, hacked the servers of the Kaunas-based Grozio chirurgija clinic earlier this year and demanded 300 bitcoin – about €730,000 – which it called “a ‘small penalty fee’ for having vulnerable computer systems”. The clinic refused to pay.

Patients, reportedly including a number of celebrities, were also blackmailed, with the criminals demanding bitcoin payments of between €50 and €2,000 depending on the sensitivity of the data, which included passport and credit card details, national insurance numbers, and nude ‘before’ and ‘after’ surgery pictures.

“Clients, of course, are in shock. Once again, I would like to apologise,” Jonas Staikunas, the director of Grozio chirurgija, told local media. “Cybercriminals are blackmailers. They are blackmailing our clients with inappropriate text messages.”

When the extortion demands were not met, the group released the entire database.

The clinic has warned its patients not to engage with the blackmailers, but to inform the police immediately. Lithuanian police say dozens of victims have already come forward.