[ISN] Extortion used in Express Scripts database breach

From: InfoSec News <alerts_at_private>
Date: Fri, 7 Nov 2008 03:02:26 -0600 (CST)

By Robert Vamosi  
Defense in Depth
CNet News
November 6, 2008

The customer database of Express Scripts, a company used by employer 
health care services to provide prescription medicine by mail, has been 
breached. In a twist, the company said it learned of the breach in "a 
letter from an unknown person or persons trying to extort money from the 

The company posted details [1] on its Web site Thursday. The letter, 
received in October, threatened to reveal millions of customer 
records--including Social Security numbers, addresses, dates of birth, 
and in some cases, prescription information--on the Internet if the 
extortion demands were not paid. The company did not disclose what those 
demands were.

Graham Cluley, of security software maker Sophos, told CNET News that 
Express Scripts did things right. "It appears they have not paid up." He 
noted that's important with data theft because the criminals have the 
data in their possession and can keep going back to the company to get 
more and more money. Second, Express Scripts went to the FBI and decided 
to go public about the breach.

"We have identified where the data involved in this situation was stored 
in our systems and have instituted enhanced controls," Express Scripts 
said on its site. 

[1] http://www.esisupports.com/


Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
Received on Fri Nov 07 2008 - 01:02:26 PST

This archive was generated by hypermail 2.2.0 : Fri Nov 07 2008 - 01:06:08 PST