80% of Australian Companies Had at Least One Data Breach Within The Last 5 Years
Class-Action Lawsuit Filed Against Behavioral Advertising Vendor NebuAd

Cyber Extortion: Give Us Your Money Or We'll Expose Your Customers' Sensitive Personal Data

This is the first time I have read about this type of extortion scam happening to a company. Last week, CNN Money reported:

"Express Scripts said Thursday it has received a letter demanding money from the company under the threat of exposing records of millions of patients. The threat was made in an anonymous letter that the company turned over to federal investigators. The letter, received in early October, included personal information on 75 people covered by Express Scripts, including birth dates, social security numbers and prescription information."

The thieves are essentially saying: pay us or we'll expose more of your customers' sensitive personal data. And to prove it, enclosed is some of the data we've already stolen. Yikes!

According to MarketWatch, some of Express Scripts' clients have also received extortion letters. The company's response so far:

"Express Scripts said it has contracted with Kroll, a New York-based risk-consulting firm and global data security leader to offer expert assistance to its members if they have become victims of identity theft because of this incident... Details about Kroll's services and the identity restoration offer can be found at www.esisupports.com"

Clearly, Express Scripts has had a large data breach and needs to respond with effectively and support its data breach victims. Correctly, the company is working with the F.B.I. and with Kroll.

According to the company's web site, Express Scripts has been listed in the Fortune 500 since 2000, received the URAC's Best Practices in Consumer Empowerment and Protection Awards in 2008, made Forbes' 75 Most Reputable Companies in the U.S. list in 2008, and received Information Week's 500 Most Technologically Progressive Companies award from 2002 to 2005. Obviously, all of that was not enough regarding effective data security.

I have heard of this extortion scam happening to individuals, where scammers take over your computer remotely via a computer virus and demand money in exchange for the virtual release of your computer. This happened to a former coworker in Boston. Her husband's PC was taken over by scammers in eastern Europe. She and her husband never paid the extortion money, and instead paid a local computer technician to rebuild her husband's PC Mac notebook. But, Express Scripts this is the first instance I've read of this extortion scam with a company.

This extortion scam has plenty of implications. Express Scripts' databases contain sensitive personal data for many consumers, since it manages the prescription benefits for more than 50 million people through its client companies, employers, and union-sponsored plans. The identity thieves have smartly targeted medical identity theft, since there are many data security holes within the medical industry.

I hope that companies don't pay thieves in these types of scams. There's no way of knowing whether or not the thieves have already re-sold the stolen data. There's no way of guaranteeing that the thieves will return or delete the stolen information. And, it invites more identity theft.

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Wayne Allen

I enjoyed your blog. I believe your post was right on. It is best not to give in to this type of demand, the outcome will never be good and if it works they will just do it again.

Lisa Moore

I wonder how these thefts hack computer systems of bog companies. Express Scripts and all companies should have a strong protection from hackers, as they spread all over the internet. Like in our company, we get online the whole time we're in the office. Every files are saved online for easy access of our employees. But before we totally set up our computers, we sought advices for our network support. Boston is where we contacted an IT expert. So far, our server is still fully protected.

- Lisa Moore

The comments to this entry are closed.