Extortion used in Express Scripts database breach
The customer database of Express Scripts, a company used by employer health care services to provide prescription medicine by mail, has been breached. In a twist, the company said it learned of the breach in "a letter from an unknown person or persons trying to extort money from the company."
The company posted details on its Web site Thursday. The letter, received in October, threatened to reveal millions of customer records--including Social Security numbers, addresses, dates of birth, and in some cases, prescription information--on the Internet if the extortion demands were not paid. The company did not disclose what those demands were.
Graham Cluley, of security software maker Sophos, told CNET News that Express Scripts did things right. "It appears they have not paid up." He noted that's important with data theft because the criminals have the data in their possession and can keep going back to the company to get more and more money. Second, Express Scripts went to the FBI and decided to go public about the breach.
"We have identified where the data involved in this situation was stored in our systems and have instituted enhanced controls," Express Scripts said on its site.
Cluley said: "I think it's going to be old-fashioned police work that gets to the bottom of this." For example, it's possible the sender of the extortion request and the attacker used the same servers.
Usually extortion is used in connection with denial-of-service of attacks, when the criminals have nothing of value except the sheer volume of data to spew at a targeted site. A letter is sent asking for money in exchange for ending that attack.
This however is an old-school data theft. The criminals presumably have millions of customer details that can be sold on the Internet. But Cluley notes that "people's identities sell for a relatively small amount, and if you go to an auction site on the Web and try to barter on that, you might not get that much as you might potentially get by embarrassing a company."
A few weeks ago, Sophos noted a similar data breach/extortion attempt at a North American Maserati dealership. Still, Cluley said he does not think this was the beginning of a trend.
Cluley said the thieves in this case might not be connected with the established "carder" world, where personal identities are bought and sold online. "Maybe this is an accidental data leakage, something they stumbled across, maybe they're not part of the criminal community, and they're just taking their chances."
Express Scripts said it will notify affected customers in compliance with state regulations.
As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments. 
Why? Simple: If they had (literally) millions of folks' data, they could have sold it by now on the under-markets --for more money-- than they would have gotten from any extortion letter... and they would've had an ongoing supply of fresh ones from a leak (or compromise) the company apparently never knew about.
That, or the crims are extremely stupid...
Props to Express Services for doing the right thing in response, though.
/P
BTW what did EXpress Scripts do right? My friend belongs to Express Scripts and has yet to be notified of anything. In situations like this IMMEDIATE notice is very important so credit freezes can be implemented right away (like how about a public notice in big city newspapers so all members can know?). Express Scripts is acting like most other companies whose data is compromised.
Yep - the crims may be stupid... but (normally) not stupid enough to kill the golden goose with an extortion letter, alerting the victim that they're leaking data.
Your friend may be awhile in getting notified becuase they're likely combing through the records to see whose data leaked out.
- by dmeizlik November 7, 2008 8:21 AM PST
- Yeah - something doesn't add up here. Regardless, data thieves shouldn't use customer data for extortion. A data breach involving customer data - by law - has to be disclosed. Instead, they should use IP for extortion... it's just as, if not more, valuable and the company isn't legally bound to disclose it. :-)
- Like this Reply to this comment
-
(4 Comments)Dave
http://ondlp.com