Cameron Nicholas Curry was convicted on six counts of extortion on March 18, 2026. The 27-year-old data analyst contractor stole payroll records from Brightly Software, a Siemens subsidiary with 12,000+ clients in education and government. He demanded $2.5 million in cryptocurrency under the alias "Loot." The company paid in January 2024.
Siemens paid $1.575 billion plus a $300 million earn-out for Brightly (formerly Dude Solutions) in August 2022. The SaaS provider has around 800 employees and serves schools, hospitals, and government agencies across the US, Canada, the UK, and Australia. The DOJ did not name the victim, but court documents identified Brightly.
Curry worked at Brightly on a six-month contract starting August 2023. After learning it would not be renewed, he copied sensitive documents while still employed, including compensation data, personnel records, and employee PII. The contract expired December 10. His first extortion email landed the next morning.
Over the next six weeks, Curry sent 60+ emails to Brightly employees and executives from lootsoftware@outlook.com. Each included screenshots of spreadsheets listing employee names, dates of birth, home addresses, and salaries. He framed the whole operation as salary transparency activism.
Loot and our partners aim to ensure that everyone is being paid accordingly, providing employees with the leverage they deserve while also adhering to federal government regulations on protected acts.
— Cameron Curry, from the indictment
Some emails targeted individuals. Curry told one member of the legal team they were not getting a bonus while most executives did. He threatened to give employees instructions on pursuing pay discrimination claims through mediation, the EEOC, or a class-action lawsuit. The "salary transparency" framing was social engineering designed to make recipients sympathize with the extortionist rather than report the emails to security.
Curry added a second pressure lever. He threatened to report Brightly to the SEC for failing to disclose the breach, citing the new cybersecurity disclosure rules that had just taken effect. The SEC's framework (adopted July 2023) requires public companies to report material incidents within four business days of determining materiality.
If you wish to reclaim your data, we recommend doing so promptly at 2.5 million USD in order to save your company and stocks, as each subsequent month will incur a $100,000 USD increase. Discrepancies in your books are currently over 16 million USD, posing a potential risk for retention issues, a hostile work environment, resentment, and more.
— Cameron Curry, from the indictment
Brightly notified the FBI on December 14, 2023, three days after the first email arrived.
Curry's operational security was poor. He opened a new Coinbase account using personal data to receive the ransom. Two of the debit cards linked to the account belonged to his mother and sister. Email metadata from lootsoftware@outlook.com and the cryptocurrency wallet details all pointed directly to him.
On January 24, 2024, FBI agents arrived at Curry's Charlotte apartment to execute a search warrant. Curry refused to leave. While agents waited, he sent messages to Brightly threatening to publish the stolen data if arrested. The FBI seized multiple electronic devices confirming the "Loot" alias. Curry was arrested and released on bond.
Curry's scheme mirrors external ransomware operations in structure. Data theft, escalating ransom demand, regulatory pressure. But Curry needed no exploit and no malware. He had a laptop and legitimate access. The compliance weaponization angle is not unique to insiders. Interlock ransomware operators cited GDPR and HIPAA in ransom notes documented by Amazon threat intelligence this same week. Turning breach disclosure rules against breach victims is becoming a standard tactic.
Brightly had already suffered a separate breach in April 2023. Attackers accessed its SchoolDude platform database and stole nearly 3 million customer accounts. The stolen records included names, email addresses, phone numbers, and unencrypted passwords, according to a Maine Attorney General filing. That incident is unrelated to Curry, but the company faced two security events in one calendar year.
U.S. Attorney Russ Ferguson announced the conviction after a three-day trial before Judge Kenneth D. Bell in the Western District of North Carolina. Curry faces up to two years on each of the six counts, for a maximum of 12 years. A sentencing date has not been set. Brightly has not issued a public statement.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
