Slashdot Mirror
$1M Reward Offered To Nab Data Breach Extortionist
alphadogg writes with this excerpt from NetworkWorld:
"Express Scripts, the pharmacy benefits management company which recently disclosed an extortionist is demanding money by threatening to expose millions of patient records the company holds, Wednesday said it has decided to offer $1 million to nab the perpetrator. 'We're going on the offense with this reward,' an Express Scripts spokesman said. The $1 million will be paid to anyone who provides information leading to the capture and conviction of the extortionist who sent a letter to Express Scripts in early October that contained personal information on 75 people, considered members, who use the company's pharmacy-benefits services. The extortionist claims to have information on millions more Express Scripts members and wants money to not reveal it."
Have they disclosed how many records were accessed and at what point?
Give me my $1M now
Terrorize the slimebag instead. Make him wonder which one of his buddies that he bragged to will turn him in.
All the extortionist need do now is move the data to someone else's machine then shop him in.
Pharmacom called.
They're upset that the records on the Black Shakes might be released. Did Johnny Mnemonic loop it through Jones?
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Express Scripts should also spend a few more bucks and fix their security. This is just complete stupidity on their part. They should get sued.
isn't there a way to track the bank account that the payment is transferred to? how do those DDoS extortion rings collect the money that they demand from online businesses? i mean, if the criminals are asking that the money be wired to a specific account, couldn't the bank determine what bank that account belongs to (how else would they wire the money)? if the bank is located in a country that has an extradition treaty with the U.S. then they could just wire the money and catch the crooks when they try to access the account.
on a separate note, my father recently had some inexplicable PayPayl "instant transfers" show up on his checking account statement. however, he hasn't used PayPal or purchased anything from PayPal merchants in over 2-3 years. does anyone know if there is a common identify-theft or banking fraud technique involving the use of PayPal and checking accounts? or could this perhaps just be a computer error? i'm just wondering because if this is a sign of identity-theft then i need to have my dad cancel his checks and credit cards. and so far Washington Mutual has been very unhelpful regarding this situation.
I think some minimum security requirements are needed by law before people will start securing personal data like this. I think one thing preventing this is the wide deployments of Windows out there that could never meet strict security requirement. (That is just my bias talking) The web server www.express-scripts.com is reported by nmap as running freebsd, but it also shows a few ports in the 8000 range "closed" but otherwise detected. I have to wonder what that's about... nmap identifies one of them as an apple-iphoto service port of some kind. I am sure that can't be right.
IT has always been a wild-west environment where anyone can claim to be an expert. People set things up with no standards. It doesn't help that executives with no understanding of technologies or risks insist on things being done in spite of risks they are presented with. Even as there are problems all around with important data being lost, stolen, misplaced or exposed, people fail to look to the cause and prevention aspects of these problems. I cannot imagine this changing until people are threatened with massive fines or imprisonment. The fines that many businesses suffer in other areas are insufficient deterrent and become factored into business budget plans... the fines must be MASSIVE.
If I were an extortionist, a simple everyday bank account "at the bank over there at the street corner" would be the last thing I'd be using.
A Swiss bank perhaps? I think there may be countries that are even more "secure" for the perp.
Gimme back my son!
And if he's too smart for that? Might just piss him off and he might release the names regardless of payment.
If i was the guy, i bet i worked alone and would call their bluff and laugh at them.
---- Booth was a patriot ----
and $3 Million if you also bring along the exploit code, so we know what got past.
if this is supposed to be a new economy, how come they still want my old fashioned money?
Instead of having an article entitled "Millions of identities stolen" with text like "massive compromise" we have a revenge story.
That's why corporate officers get paid the big bucks. They screw you and you feel good about it.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
What's that movie called which, along the same lines, someone kidnapped a relative and the guy offered the ransom money to anybody who would give info which would help capture the kidnapper, instead of giving it to the kidnapper?
If you attempt to link a bank account to paypal, it will charge a tiny amount of money to your account. Someone may be accidentally using the wrong number, or it may be more sinister. Sorry, but I don't know more.
well, there were two separate transactions made on two consecutive days--one for ~$90 and one for ~$30. so i don't think it could have been a surcharge. but thanks the tip anyway.
It's likely he didn't think that all the way through. You have to remember that criminals are often not all that savvy. He may have just assumed that the money would be paid and that'd be it. True, if the company didn't contact the FBI. However if it was paid out as a setup, pretty likely they'd find out who he is. Money is rather traceable, when necessary.
That's one reason why you almost never see kidnapping for ransom in the US. Used to happen, but you find out that the FBI has a 100% closure rate these days on it. They always nail the kidnapper. They aren't always able to save the victim, but it is something you don't get away with. So why can they nail crooks for that (to the point that it pretty much never happens these days) but not for, say, kidnapping for sexual exploitation? Money. When you pull the ransom thing, you give them a way to track you.
So I guess they value their user's privacy at $1 million dollars.
Does anyone know if this is close to the price the black market actually pays for SSN/medical records/credit card numbers?
The guy is claiming to have information on millions of users (who knows it it's true, he could be bluffing) and the company is willing to spend $1 million as a reward to find him. That means they value each record at less than $1 each.
This seems like a pretty dangerous poker game to be playing when you're talking about people's private data.
I know personally, I value my private data much higher than $1, but then again I have more of an incentive to protect it than some random company.
If I can not smoke in heaven, then I shall not go. -- Mark Twain
Simply put the money goes into accounts either in the Grand Cayman's which will not allow any tracking or bounces through 100 accounts before it hits a bank in a former communist country.. in either case the banks and/or the country will not cooperate with the rest of the world
Ok I confess it was me, Mr A. Coward.
Can I have my money now please??
Many 'pharmacy benefit management' companies profit by selling information about your drug purchases - and probable ailments - to the highest bidder. This is a gray area of the law. You are typically NOT able to opt-out of this selling of your information. HIPPA doesn't cover this, just like it doesn't cover off-shore companies who sell your data. It is a rapidly growing market.
Insurance companies like Humana even make a point of mentioning that they will disclose your health data to third parties who may not be subject to privacy regulations.
So I have to ask, who is more evil here?
i have to say that the competing company in the mail order prescription provider in which i work for is in just about the same situation considering how open their security policy's are. both production and non-production computers can access the internet, and both have about equal access to private customer information since even the non production break room machines are used for accessing the internal prescription database. yet all machines have their anti-virus software turned off and the break room machines allow any user to install what ever software they want. tried to make a comment about how bad this is to my local management but he said he could not do anything because computer security policies are determined by corporate and they have deemed this set up 'safe' which is ironic since they encourage the use of internet explorer due to their internal network system will only work on it as well as the website they outsourced their hr department with(hrdirect).
I would've applauded the company's stance immediately, had it not been for a nagging though: the data is not entirely theirs .
What's less ethical: paying off a blackmailer, or risking your customer's very sensitive data?
Then, again, there is no guarantee, the blackmail will ever stop anyway — even embarrassing photos can be copied before returning, digital files are practically guaranteed to remain in the scumbag's possession — so trying to apprehend the guy would still seem like the right thing to do...
In Soviet Washington the swamp drains you.
LSD,
The guy telling you that was wrong, anyway.
Paypal GIVES you a few cents, twice, to verify your account.
If you have two charges, chances are, something is amiss.
WaMu is still in business?
--Toll_Free
Covered by personal data protection laws; you seriously need one of those in the US. (And yeah, I know the libertardian argument against it (that it would cost zillions to business (which is obviously wrong (but that would not stop a 'tardian, would it?))))
Additionally, as I understand it, this kind of things is also considered a major breach of pharmacist/patient privilege around here. Any pharmacist who would leak this info in the first place would quickly lose his license, on top of being criminally prosecuted. I don't even think the insurance companies get detailed info about what they're reimbursing as far as prescription meds are concerned.
My childhood dream of being a digital bounty hunter is possible at last! :D
Seriously, more bounties on internet crime (even if this specific incident sounds like an inside job). The feds are way to slow on the ball. Private actors could resolve things like this much better, with the caveats of not having access to mass-surveillance, and probably committing crimes themselves to investigate people, eg. pretexting. Private investigators and "physical" bounty hunters are rumored to do this all the time, though, or lease it out to database services who do, and so far very few people complain. It takes one to catch one, and when it comes to hacking, i personally believe this to be literally true, no matter what the whitehat movement with it's silly middle-class hysteria claims.
Emotions! In your brain!
I know the implications this has on individual privacy but I am angry at the corporate greed and irresponsibility currently going on so a part of me cheers this individual on. If they can get a cool million, fine! It'll send a message against invincibility to the corporation. Maybe it will cause Express to humble itself a bit.
Same way you pay advance fees to the Prince of Nigeria I presume.
better to put it in escrow for the coming lawsuits regarding careless handling of private information.
Tho I suppose if even a small percent of the "millions" exposed all take up legal action (or class action it?) as a result of the extortionist exposing their records, 1M won't get them off to a very good start. I wonder how much the courts would judge for damages regarding mishandling and loss of personal information like that, per-victim? Paying a $1M bounty on his head is probably a good deal for Express Scripts if it works.
But, serves them right. One way or another the scammer has done a public good by exposing the lax security. Unfortunately, The Public doesn't probably have a say in this, they're not the direct customers, and who can say they know who their local doctor or ER share their information with?
Initially I was surprised they didn't just pay them off or something. But then really when you are dealing with a privacy extortionist, you can pay them and they can just change the terms and say, set you up on an ongoing payment schedule to NOT release the information, so catching them before they can release it is the only way to get out of the hostage situation. Paying them off doesn't necessarily make them go away, it makes them just keep asking for more. Eventually you are going to run out of patience or run out of money and they're going to release it anyway. May as well get it over with and hope to catch them at the same time.
Though this is more of a declaration of war than anything. The extortionist may just release the info to "send a message" to future targets and chalk up this lost opportunity as an "investment" on future extortions. Will be interesting to see how things play out.
I work for the Department of Redundancy Department.
These people provide my benefits.
Time to start ordering credit reports every month, yay!!
Why, no, I haven't meta-moderated lately. Thanks for asking!
they're now part of JPMorgan Chase, so technically they're still in business, but they're under new management.
i was hoping the change in ownership would be a good thing, but so far my experience with their customer service regarding banking fraud has been rather underwhelming. there's no dedicated support line for identity-theft/banking fraud/mischarges, and it's practically impossible to get a hold of a human operator even on weekdays during their regular business hours.
i'm wondering if i should contact PayPal instead, and perhaps they would be willing to reverse the fraudulent charges.
And if he's too smart for that? Might just piss him off and he might release the names regardless of payment.
If i was the guy, i bet i worked alone and would call their bluff and laugh at them.
Doesn't matter. You'd eventually get caught.
There's no place like
Either Western Union or bank wire.
Those using pirated Tinysoft signatures(TM) are a real threat to society and should all be thrown in jail.
Wire it to a bank in one of a number of countries where it is illegal to even ask who owns a bank account. There aren't as many places today, but there are still a few where accounts are all numbers. It's a numbered account and you have an id number, not a name. You call in, give the proper ID number and password and wire the money on to another bank, usually controlled by your friends in the >.
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
To "call their bluff" you must sell the data to someone. That someone just might decide he could use another $1M.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
The smart ones don't.
---- Booth was a patriot ----
Well you don't just put it on ebay...
The value of the data might just be more then the reward.
---- Booth was a patriot ----
Does the reward stipulate where they must be captured and convicted? If the guy is out of the country its pretty unlikely that he'll be captured and convicted in the United States. If he's in one of the many places where the local government can't or doesn't care enough to, arrest and put him on trial, the reward is absolutely useless.
This isn't like calling the tip line where you give a tip on a local drug dealer the cops can capture and convict in a matter of months. This is probably an international extortion case that will almost definitely not end in "capture and conviction." Its not like a trial and conviction changes the fact that the data was stolen and was probably sold off or dumped the second the company put a reward on the guys head.
Its a PR stunt. The "capture and conviction" stipulation on this type of case means its a really safe bet they won't have to pay out. Its just a clever way of notifying everyone that they lost a bunch of data and have no idea how much was taken.
This guy is hurting millions of hard working people who just want to be able to buy medication at a reasonable price when they need it. Too bad Express Scripts couldn't have hired some skilled person to hunt him down and quietly take him out at the first sign of this problem. He certainly deserves it.
No doubt about that. This includes the baltics, estonia, lativa, and the other *ia-s, ukraine, or hamburg, israel (lots of ruskies there), turkey (same).
So let the extortionist have the drugs they were sending me.
https://app.box.com/WitthoftResume Code: https://github.com/cellocgw
The smart ones don't.
The smart ones don't do it in the first place.
That's like making a reference to people doing meth, and then referring to one of them as 'the smart one'.
There's no place like
Actually WaMu is being assisted in whole by Wells Fargo Bank.
You cant compare theft to drug use.
Smart people do commit crimes ( morals have nothing to do with intelligence ). The dumb ones get caught and serve time.
---- Booth was a patriot ----
"Make him wonder which one of his buddies that he bragged to will turn him in."
The 1 million for conviction is nice, but they should also offer a $50,000 reward just for his arrest because convictions can take years but arrests usually happen within days of police finding evidence.
I'd turn in my friends for 50 grand if they did something so stupid, but then, how do you get rewarded for securing a company's security holes? If he politely told them what they did wrong, he'd be accused of being a hacker and arrested anyway, but if he keeps his month shut there's only a matter of time before someone else uses it for evil purposes.
my karma will be here long after I'm gone
http://thedailywtf.com/Articles/A_Case_of_the_MUMPS.aspx
Enter the world of money mules.
This kind of problem has been solved by criminals long before internet.
http://en.wikipedia.org/wiki/Money_mule
$1,000,000 in extortion to extract a promise "not to reveal any patient information...yet" or $1,000,000 to hire private investigators and/or a hit man. The latter is far more effective.
Its called a swiss bank account. Unlike those snoopy American banks your just a number to them. They protect your privacy as well not just giving it to anyone that feels like asking.
That's where I would start looking...
Intron: the portion of DNA which expresses nothing useful.
What the heck, might as well add that contingency. It doesn't suggest someone off the bastard, just that if he happens to be cold when turned in, the offer's still good. All the more fear factor added to the offense-as-defense.
"I may be synthetic, but I'm not stupid." -- Bishop 341-B
You cant compare theft to drug use.
Smart people do commit crimes ( morals have nothing to do with intelligence ). The dumb ones get caught and serve time.
Well crap. I'd mod you insightful, but I already posted...
There's no place like
PayPal would be my first choice, since they are / where the ones that processed the transaction to your fathers account. I believe they have stop-gap prevention measures in place, as long as you act soon enough. I've never had to go that far, only once was I conned on ebay. Finding out the High School kids mothers work number, and giving her a call about her scammer kid at work was enough to get me my car stereo I purchased :)
WaMu, I haven't had a lot of experience with. I tend to go to credit unions, as they have better customer service, don't have the problems banks do, and aren't in it for a profit like a bank is... That usually means a better customer service experience.
HOWEVER, it is a real pain when I travelled, and at work, so I ended up having two accounts. One with a major bank (that rarely had a lot of money in it, just operating expenses), and my credit union. Credit unions are localized, banks can go international.
--Toll_Free
... on a contract that ended April 2007. I pity the poor slobs that do IT work for them. I am not surprised they got hacked, if the quality of their security was anything similar to the part of their IT environment I was exposed to.
Cash? Diamonds?