in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Pharmacy Benefits Manager Express Scripts Gets Extortion Letter - A Sign Of Things To Come For Data Breaches?

Express Scripts is a PBM, a Pharmacy Benefits Management company.  What this means is that they are in charge of making sure that you get your drugs, since they’re in charge of processing and paying prescription drug claims.  They also do other stuff like negotiating for discounts on drugs.  In fact, some give credit to Express Scripts as the reason why Pfizer’s Lipitor sales took a hit once Zocor went generic: the PBM had dropped Lipitor from their list of preferred drugs to insurers and recommending Zocor instead, which was projected to be six times cheaper once it went generic.

In other words, Express Scripts, whether you’re aware of their existence or not, is no lightweight in the pharmaceutical industry.  And it looks like some criminals are well-versed in this fact, since they decided to extort some money out of this company.

Express Scripts has gone public with the extortion attempt.  According to www.esisupports.com, a site set up expressly to alert the public, the PBM received a letter with the personal information of 75 people in their database, including SSNs, addresses, and DOBs, along with a threat that millions of more names would be released if the company didn’t pay up.  The amount asked was not specified.

When you consider than the company manages prescription benefits for approximately 50 million people, about one-sixth of the US population, well, even the VA laptop theft from a couple of years looks like small potatoes.  With a big difference, though.  In the VA case, most people agreed that the Veterans’ Association was lax regarding data security.  Express Scripts, on the other hand, seems to have done many things right and gotten dinged.

It isn’t surprising that the PBM had data security practices in place long before the breach happened.  As a benefits manager, I’d imagine that it has to follow HIPAA covenants, which have been in place for over a decade.  Of course, that doesn’t guarantee that a company’s network will be rock-solid.  There may be a small hole in the wall, so to speak, or even a case of internal malfeasance, a consideration that is not being dismissed by the company.

At first, when I couldn’t find many details regarding the story, I considered the possibility that the information had been found on a lost laptop that didn’t have its contents protected with the use of laptop encryption software like AlertBoot.  My assumption was, Express Scripts being what it was, it would have topnotch network security.  The data breach had to come from something a bit more prosaic than a bunch of hackers getting into the PBM’s network.

I also made the assumption, with absolutely no basis on what little facts I had, that the criminals were blowing a lot of smoke.  I mean, a list of 75 names?  Not 100?  Why?  It looks like an odd number when you consider that they had millions of names.  Were these guys eco-conscious, trying to fit everything in one page in the extortion letter?  My inclination was that they’ve got about 80 names, which fetches about eight dollars in the black market, so they’ve decided to go for broke and attempted this scheme, claiming millions of names.

This was before I found that the company was able to identify from the 75 names where they’re having an information leak.  So, chances are Express Scripts understands how dire, or not, the situation may actually be.

Will the criminals get caught?  The FBI is involved, and it seems to me that there is a good chance clues were left behind.  Usually, companies that have a data breach don’t know what hit them or how it happened.  But not in this case.  Plus, there’s the nature of the reward.  The problem with extortion is that the criminals have to show up, in one way or another, to claim their money, even if it’s being wired overseas.


Related Articles:
http://www.nytimes.com/2005/10/15/business/15statin.html?pagewanted=print
http://news.cnet.com/8301-10789_3-10084187-57.html
http://blog.wired.com/27bstroke6/2008/11/extortion-plot.html
http://www.nytimes.com/2008/11/07/business/07data.html?partner=rssnyt&emc=rss

 
<Previous Next>

Laptop Encryption Software Not Used For NC State Laptop

Mass. Companies: Are You Ready For The New Data Privacy Regulations?

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.