in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Data Protection Software: Express Scripts Back In The News (Again)

Several sources are reporting that Express Scripts, the pharmacy benefit managing (PMB) company, has been informed by the FBI that last year's extortionist has struck again.

If you'll recall, Express Scripts received the personal information of 75 people, all of them in the company's database, via regular mail.  The sender had threatened to release millions of names if ransom demands were not met.  I had mused back then whether a stolen computer that did not make use of hard drive encryption could have been involved.

What Happened In 2008

Initially, the extortionist had contacted Express Scripts, asking for ransom and threatening the release of millions of names if demands were not met.  It was a threat that could be only too real, seeing how the company managed prescriptions for (supposedly) 50 million individuals, and no one knew how the data breach had occurred.

About one week later, when Express Scripts did not show any signs of capitulating, the extortionist went after Express Scripts's clients, again trying to shake them down.

Express Scripts, in turn, offered a $1 million reward for information leading to the arrest of those involved.

Only 75 names were involved at this point, which seemed odd to me at the time, because, let's face it, it's a stupid number.  A guy has millions of names, and he sends only seventy-five of them as proof?  That's, like, two letter-sized sheets.  It's like me declaring to be omnipotent and squashing an ant to prove it.

Seventy-five names...I just can't get over it.  It's like starting an NFL franchise bid because you have 75 dollars when you know it's going to run into the hundreds of millions of dollars for the rights alone...

What Happened In 2009

The FBI was contacted in August 2009 by a law firm that was suing Express Scripts for the above data breach.  The law firm had received "a data file"--it's not specified how; on a CD via regular mail?--that contained Express Scripts's member's information.  In turn, the FBI contacted the PBM.

It's being mentioned that approximately 700,000 members were notified about the breach, although I'm not sure if it was in response to this latest revelation, or something that's been happening over the course of the year.  What is known is that 1,441 residents were contacted in NH alone (the Attorney General of the state makes public all breach notification letters it receives) because of the latest incident.

1,771 in New Hampshire alone.  If we were to assume that's a representative sample, it'd mean that approximately 330,000 across the US were notified as well, based on ratios of US and NH populations.  On the other hand, the extortionist could have made a point of just sending NH data.

Either way, the guy(s) have now made it known that they really do mean business.

They Know The Origin Of The Leak

Supposedly, Express Scripts was able to identify, a year ago, the source of the leak, based on the original 75 names.  It was even mentioned, I seem to hazily recall, that they weren't ruling out an inside job because of this revelation.

A year after, we still don't have any closure, so it looks like all those leads fizzed out.

What Now?

Express Scripts stays the course.  They certainly cannot backtrack now.  The extortionists have proven that they're after money (duh).  When they were unsuccessful with the company, they went after Express Scripts's clients.  It doesn't take a giant leap of thought to assume that they've been peddling the personal information in underground markets during the past year.

Besides not capitulating to demands, the company must continue to review and implement data security--encryption software, firewalls, auditing software, restrict access, etc.--like it has been doing for the past year.


Related Articles and Sites:
http://stlouis.bizjournals.com/stlouis/stories/2009/09/28/daily46.html
http://online.wsj.com/article/BT-CO-20090930-712267.html
http://www.consumeraffairs.com/news04/2009/09/express_scripts_breach.html
http://doj.nh.gov/consumer/pdf/express_scripts.pdf
http://www.esisupports.com/

 
<Previous Next>

Disk Encryption Software: Canada 2009 Hi-Tech Breach Costs Double From Last Year

Data Encryption: Could Kindle Be At The Heart Of A Data Breach?

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.