This is the first time I have read about this type of extortion scam happening to a company. Last week, CNN Money reported:
"Express Scripts said Thursday it has received a letter demanding money from the company under the threat of exposing records of millions of patients. The threat was made in an anonymous letter that the company turned over to federal investigators. The letter, received in early October, included personal information on 75 people covered by Express Scripts, including birth dates, social security numbers and prescription information."
The thieves are essentially saying: pay us or we'll expose more of your customers' sensitive personal data. And to prove it, enclosed is some of the data we've already stolen. Yikes!
According to MarketWatch, some of Express Scripts' clients have also received extortion letters. The company's response so far:
"Express Scripts said it has contracted with Kroll, a New York-based risk-consulting firm and global data security leader to offer expert assistance to its members if they have become victims of identity theft because of this incident... Details about Kroll's services and the identity restoration offer can be found at www.esisupports.com"
Clearly, Express Scripts has had a large data breach and needs to respond with effectively and support its data breach victims. Correctly, the company is working with the F.B.I. and with Kroll.
According to the company's web site, Express Scripts has been listed in the Fortune 500 since 2000, received the URAC's Best Practices in Consumer Empowerment and Protection Awards in 2008, made Forbes' 75 Most Reputable Companies in the U.S. list in 2008, and received Information Week's 500 Most Technologically Progressive Companies award from 2002 to 2005. Obviously, all of that was not enough regarding effective data security.
I have heard of this extortion scam happening to individuals, where scammers take over your computer remotely via a computer virus and demand money in exchange for the virtual release of your computer. This happened to a former coworker in Boston. Her husband's PC was taken over by scammers in eastern Europe. She and her husband never paid the extortion money, and instead paid a local computer technician to rebuild her husband's PC
Mac notebook. But, Express Scripts this is the first instance I've read of this extortion scam with a company.
This extortion scam has plenty of implications. Express Scripts' databases contain sensitive personal data for many consumers, since it manages the prescription benefits for more than 50 million people through its client companies, employers, and union-sponsored plans. The identity thieves have smartly targeted medical identity theft, since there are many data security holes within the medical industry.
I hope that companies don't pay thieves in these types of scams. There's no way of knowing whether or not the thieves have already re-sold the stolen data. There's no way of guaranteeing that the thieves will return or delete the stolen information. And, it invites more identity theft.