Slashdot Mirror
$1M Reward Offered To Nab Data Breach Extortionist
alphadogg writes with this excerpt from NetworkWorld:
"Express Scripts, the pharmacy benefits management company which recently disclosed an extortionist is demanding money by threatening to expose millions of patient records the company holds, Wednesday said it has decided to offer $1 million to nab the perpetrator. 'We're going on the offense with this reward,' an Express Scripts spokesman said. The $1 million will be paid to anyone who provides information leading to the capture and conviction of the extortionist who sent a letter to Express Scripts in early October that contained personal information on 75 people, considered members, who use the company's pharmacy-benefits services. The extortionist claims to have information on millions more Express Scripts members and wants money to not reveal it."
Terrorize the slimebag instead. Make him wonder which one of his buddies that he bragged to will turn him in.
All the extortionist need do now is move the data to someone else's machine then shop him in.
Pharmacom called.
They're upset that the records on the Black Shakes might be released. Did Johnny Mnemonic loop it through Jones?
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
isn't there a way to track the bank account that the payment is transferred to? how do those DDoS extortion rings collect the money that they demand from online businesses? i mean, if the criminals are asking that the money be wired to a specific account, couldn't the bank determine what bank that account belongs to (how else would they wire the money)? if the bank is located in a country that has an extradition treaty with the U.S. then they could just wire the money and catch the crooks when they try to access the account.
on a separate note, my father recently had some inexplicable PayPayl "instant transfers" show up on his checking account statement. however, he hasn't used PayPal or purchased anything from PayPal merchants in over 2-3 years. does anyone know if there is a common identify-theft or banking fraud technique involving the use of PayPal and checking accounts? or could this perhaps just be a computer error? i'm just wondering because if this is a sign of identity-theft then i need to have my dad cancel his checks and credit cards. and so far Washington Mutual has been very unhelpful regarding this situation.
I think some minimum security requirements are needed by law before people will start securing personal data like this. I think one thing preventing this is the wide deployments of Windows out there that could never meet strict security requirement. (That is just my bias talking) The web server www.express-scripts.com is reported by nmap as running freebsd, but it also shows a few ports in the 8000 range "closed" but otherwise detected. I have to wonder what that's about... nmap identifies one of them as an apple-iphoto service port of some kind. I am sure that can't be right.
IT has always been a wild-west environment where anyone can claim to be an expert. People set things up with no standards. It doesn't help that executives with no understanding of technologies or risks insist on things being done in spite of risks they are presented with. Even as there are problems all around with important data being lost, stolen, misplaced or exposed, people fail to look to the cause and prevention aspects of these problems. I cannot imagine this changing until people are threatened with massive fines or imprisonment. The fines that many businesses suffer in other areas are insufficient deterrent and become factored into business budget plans... the fines must be MASSIVE.
And if he's too smart for that? Might just piss him off and he might release the names regardless of payment.
If i was the guy, i bet i worked alone and would call their bluff and laugh at them.
---- Booth was a patriot ----
Instead of having an article entitled "Millions of identities stolen" with text like "massive compromise" we have a revenge story.
That's why corporate officers get paid the big bucks. They screw you and you feel good about it.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
I completely agree. I've known people who have worked for that company. Now anyone dealing with their customer service or prescription filling has to sign an NDA saying that even after leaving, they can't disclose any information. Apparently a lot of famous people like to pop prescription drugs (no surprise there).
Their security at night is lax. The women don't work and instead just find the nearest security guard and closet and have some fun. Either way, it wouldn't be too hard to get a lot of information and dip your hands into the extortion bracket.
RTFA, they have upped their security since the letter was sent to them. and since no one knows how exactly the records were stolen, i think you're just talking out of your ass claiming it as "complete stupidity on their part."
at least the company is smart enough to realize that there's no such thing as perfect security (which apparently is more than can be said about you). however, having found themselves in a situation in which their customer records have been stolen, they are taking all precautionary measures the minimize the damage.
they were honest about the breach and came out publicly about it rather than trying to suppress the information. they contacted the FBI, who have launched an ongoing criminal investigation. the company has also hired data security & computer forensics experts to launch their own independent investigation into the matter. additionally, they have contracted a risk-consulting firm to provide free identity restoration services to affected customers in order to mitigate potential damages. they seem to have done everything in their power to redress the situation. what else were they supposed to do? give in to the extortionists' demands and try to sweep this under the rug?
Many 'pharmacy benefit management' companies profit by selling information about your drug purchases - and probable ailments - to the highest bidder. This is a gray area of the law. You are typically NOT able to opt-out of this selling of your information. HIPPA doesn't cover this, just like it doesn't cover off-shore companies who sell your data. It is a rapidly growing market.
Insurance companies like Humana even make a point of mentioning that they will disclose your health data to third parties who may not be subject to privacy regulations.
So I have to ask, who is more evil here?
Covered by personal data protection laws; you seriously need one of those in the US. (And yeah, I know the libertardian argument against it (that it would cost zillions to business (which is obviously wrong (but that would not stop a 'tardian, would it?))))
Additionally, as I understand it, this kind of things is also considered a major breach of pharmacist/patient privilege around here. Any pharmacist who would leak this info in the first place would quickly lose his license, on top of being criminally prosecuted. I don't even think the insurance companies get detailed info about what they're reimbursing as far as prescription meds are concerned.
The smart ones don't.
---- Booth was a patriot ----
again, RTFA:
> what else were they supposed to do? give in to the extortionists' demands and try to sweep this under the rug?
Well, that's the most popular option for financial firms, because the financial industry the largest confidence game ever created. I'm not saying this sarcastically -- the entire market is based on the trust and confidence between buyers and sellers; There is no truly "safe bet" in the industry. They went public because there was no way they could do damage control on several million accounts and not have their customers break the story. If it were a few hundred, or even a few thousand, they could spin the press around about what the actual numbers were and downplay the risk. Sure, there'd be lawsuits, and people talking, but only the company would know the full scale of the breach. In this case, they know it's too big and so from a risk analysis standpoint... It's better to take the hit to their reputation and consolidate the risk into a few controllable areas -- which is to say, not in a courtroom.
As far as "minimizing the damage"... That's a lot like sweeping the front entryway out after they've bombed the building flat. The damage is already done, at this point, they're just trying to control collateral damage.
#fuckbeta #iamslashdot #dicemustdie
You cant compare theft to drug use.
Smart people do commit crimes ( morals have nothing to do with intelligence ). The dumb ones get caught and serve time.
---- Booth was a patriot ----
You cant compare theft to drug use.
Smart people do commit crimes ( morals have nothing to do with intelligence ). The dumb ones get caught and serve time.
Well crap. I'd mod you insightful, but I already posted...
There's no place like