14 DAY TRIAL // Express Scripts, number 135 in 2008's Fortune 500, has announced that, in October, it received a letter through which unknown persons were trying to extort money from the company by threatening to disclose a major security breach. According to the letter, the hackers got their hands on the personal details of millions of the company's customers and delivered samples as proof.
“Express Scripts handles millions of prescriptions each year through Home Delivery and at retail pharmacies,” is proudly written on their website. Unfortunately, that also means a lot of sensitive data to store and protect and as past examples show, hackers will not hesitate to target it. "Express Scripts is committed to the privacy and security of our members' personal information, so a threat like this against our members is outrageous," said George Paz, the company's CEO. "However, as security experts know, no data system is completely invulnerable," he added.
Express Scripts has set up a special website in order to keep their customers informed regarding the development of this incident and also offer them information on how to protect their identities. Graham Cluley, Senior Technology Consultant at security vendor Sophos, thinks that the company did the right thing by making the incident public. “Firstly, it hasn’t paid any money. That’s important because paying blackmailers only encourages them to ask for more money, or to steal from others,” he writes. The company also notified the FBI and started their own internal investigation into the matter. "We are cooperating with the FBI and are committed to doing what we can to protect our members' personal information and to track down the person or persons responsible for this criminal act," announced Mr. Paz. "We have been conducting a thorough investigation since we received this threat and we are taking it very seriously," he added.
The hackers included in their letter a sample of 75 patient records featuring names, addresses, social security numbers, dates of birth and even prescription information, which is more than enough for identity theft attacks. The company said that they notified the 75 affected members and that the source of the breach had been identified with the help of data security and computer forensics experts. “We continue to conduct our investigation. We are notifying our members and clients to enable them to take steps to protect themselves from possible identity theft," noted George Paz.
The interesting twist that separates this incident from others is the blackmailing component, which could point to the fact that the persons responsible are not experienced hackers and are not familiar with the underground carding community where such data is constantly traded and sold. A similar case involved a 60-year-old man from California who blackmailed car manufacturer Maserati after he hacked into and copied a database created during one of the company's promotional campaigns.