In December 1999, an attacker known only as ‘Maxus’ (believed to be a ~19-year-old Eastern European) exploited a vulnerability in the payment processing systems of CD Universe, an early online music retailer, and stole approximately 300,000 customer credit card numbers. Maxus sent an anonymous email to CD Universe demanding $100,000 in ransom to not publish the stolen cards. CD Universe refused to pay and instead reported the matter to the FBI. In January 2000, Maxus posted approximately 25,000 of the stolen card numbers to a website called ‘Maxus Credit Card Pipeline’ and offered the remainder online. Maxus was never identified or arrested. This incident was one of the first widely-reported cases of a cybercriminal extorting an online retailer with stolen customer data and refusing to accept ’no’ — pioneering the data extortion business model that ransomware groups would systematize two decades later. The breach also highlighted the growing risk of storing unencrypted payment card data in early e-commerce systems.