Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Businesses The Almighty Buck

$1M Reward Offered To Nab Data Breach Extortionist 134

alphadogg writes with this excerpt from NetworkWorld: "Express Scripts, the pharmacy benefits management company which recently disclosed an extortionist is demanding money by threatening to expose millions of patient records the company holds, Wednesday said it has decided to offer $1 million to nab the perpetrator. 'We're going on the offense with this reward,' an Express Scripts spokesman said. The $1 million will be paid to anyone who provides information leading to the capture and conviction of the extortionist who sent a letter to Express Scripts in early October that contained personal information on 75 people, considered members, who use the company's pharmacy-benefits services. The extortionist claims to have information on millions more Express Scripts members and wants money to not reveal it."
This discussion has been archived. No new comments can be posted.

$1M Reward Offered To Nab Data Breach Extortionist

Comments Filter:
  • IT'S ME (Score:1, Funny)

    by Anonymous Coward
    Give me my $1M now
  • by Anonymous Coward on Saturday November 15, 2008 @10:27AM (#25770607)

    Terrorize the slimebag instead. Make him wonder which one of his buddies that he bragged to will turn him in.

    • And if he's too smart for that? Might just piss him off and he might release the names regardless of payment.

      If i was the guy, i bet i worked alone and would call their bluff and laugh at them.

      • And if he's too smart for that? Might just piss him off and he might release the names regardless of payment.

        If i was the guy, i bet i worked alone and would call their bluff and laugh at them.

        Doesn't matter. You'd eventually get caught.

      • To "call their bluff" you must sell the data to someone. That someone just might decide he could use another $1M.

        • by nurb432 ( 527695 )

          Well you don't just put it on ebay...

          The value of the data might just be more then the reward.

          • by Intron ( 870560 )

            1 million customer names and addresses Item number: 22030897068
             
            Starting Bid: $0.99
            End time: 7 days
            Shipping: Free Shipping
            Ships to: Worldwide
            Item location: Not revealed
            History: 0 Bids

    • "Make him wonder which one of his buddies that he bragged to will turn him in."

      The 1 million for conviction is nice, but they should also offer a $50,000 reward just for his arrest because convictions can take years but arrests usually happen within days of police finding evidence.

      I'd turn in my friends for 50 grand if they did something so stupid, but then, how do you get rewarded for securing a company's security holes? If he politely told them what they did wrong, he'd be accused of being a hacker
  • Opportunity (Score:5, Interesting)

    by Anonymous Coward on Saturday November 15, 2008 @10:27AM (#25770611)

    All the extortionist need do now is move the data to someone else's machine then shop him in.

    • The situation here isn't a "we want the data back" it's "we want to stop the perp"....different situation.

      • You mis understand the GPs point, all the perp has to do is frame someone else for the crime and said perp gets to keep the 1 million while someone innocent gets charged with his crime.

        • unless the perp frames a friend with 'skilz', this likely wouldn't work. Anyone with 'skilz' is likely not going to leave open access to their gear.
          • But would anyone investigating even know how to tell if someone has skillz?
            • by Goaway ( 82658 )

              Of course not, they're all completely incompetent! They got their jobs by sending in a coupon off a cereal box!

          • For $1M, the perp may be encouraged to try some Ninja access. Dead-tree plant in your residence and an anonymous phone call... that's all it would take.

            • For $1M, the perp may be encouraged to try some Ninja access. Dead-tree plant in your residence and an anonymous phone call... that's all it would take.

              How do you collect the reward if you report it anonymously?

              You might be correct (and super paranoid;-) if you rephrase it that the company frames someone they don't like and claim that there was an anonymous tip. That way the company gets free publicity by offering a reward but doesn't have to actually pay the $1M.

              Besides I'm sure anyone trying to claim $1M will be thoroughly investigated as well.

      • by arth1 ( 260657 )

        The situation here isn't a "we want the data back" it's "we want to stop the perp"....different situation.

        For a company that couldn't protect their data, didn't know they had been hacked, and didn't have records to investigate after the fact, do you think they really know what they want?

        As for who the perp is, I think there's more than one person. The extortionist, to be sure, should be caught and brought to justice, but so should the perps on the inside, who, through gross negligence or incompetency, let

    • Re:Opportunity (Score:5, Insightful)

      by zappepcs ( 820751 ) on Saturday November 15, 2008 @10:34AM (#25770641) Journal

      I think there may be a small problem with that. Didn't the USA offer a reward similar to this for Osama Bin Laden?

      The trouble with being a friend of this extortionist is that all your sins are likely to be discovered if you turn them in, even if you do get the money.

      I'd like to see the reward work, but am not holding my breath for it.

      • all your sins are likely to be discovered if you turn them in

        $1 million would make me care very little about my own sins or who knows about them.

      • Re: (Score:1, Flamebait)

        by b4upoo ( 166390 )

        I think that it is sad that people are such cowards that having their prescription histories made public would worry them.

        • Re:Opportunity (Score:4, Insightful)

          by Cheerio Boy ( 82178 ) * on Saturday November 15, 2008 @01:57PM (#25771701) Homepage Journal

          I think that it is sad that people are such cowards that having their prescription histories made public would worry them.

          It isn't about cowardice.

          It's about not wanting your employer to maybe fire you because you have an AZT prescription or are on chemotherapy or are on medicine for ADD/ADHD and have a job working with million dollar custom surface-mount circuitry or are a neurosurgeon.

          • I am sure that a big bunch of their customers are prescription drug addicts.

    • Re: (Score:3, Insightful)

      by mi ( 197448 )

      All the extortionist need do now is move the data to someone else's machine then shop him in.

      The subsequent criminal investigation — capture and conviction are the conditions for the reward — is likely to reveal the truth anyway. Slipping somebody a gun, or bag of cocaine, or stolen (hey, at least, we aren't arguing about the applicability of the term here!) data does make the person a suspect, but not a convict — unless a policeman is doing it, for judges tend to trust those people...

      Th

    • Quite possibly they're hoping he does something 'smart' like this and thus gives himself away to the authorities. Anyone trying to claim the reward would I'm sure come under a lot of scrutiny, and likewise for the alleged criminal.

  • by TaoPhoenix ( 980487 ) * <TaoPhoenix@yahoo.com> on Saturday November 15, 2008 @10:31AM (#25770629) Journal

    Pharmacom called.

    They're upset that the records on the Black Shakes might be released. Did Johnny Mnemonic loop it through Jones?

  • by lysergic.acid ( 845423 ) on Saturday November 15, 2008 @10:43AM (#25770679) Homepage

    isn't there a way to track the bank account that the payment is transferred to? how do those DDoS extortion rings collect the money that they demand from online businesses? i mean, if the criminals are asking that the money be wired to a specific account, couldn't the bank determine what bank that account belongs to (how else would they wire the money)? if the bank is located in a country that has an extradition treaty with the U.S. then they could just wire the money and catch the crooks when they try to access the account.

    on a separate note, my father recently had some inexplicable PayPayl "instant transfers" show up on his checking account statement. however, he hasn't used PayPal or purchased anything from PayPal merchants in over 2-3 years. does anyone know if there is a common identify-theft or banking fraud technique involving the use of PayPal and checking accounts? or could this perhaps just be a computer error? i'm just wondering because if this is a sign of identity-theft then i need to have my dad cancel his checks and credit cards. and so far Washington Mutual has been very unhelpful regarding this situation.

    • If I were an extortionist, a simple everyday bank account "at the bank over there at the street corner" would be the last thing I'd be using.
      A Swiss bank perhaps? I think there may be countries that are even more "secure" for the perp.

    • If you attempt to link a bank account to paypal, it will charge a tiny amount of money to your account. Someone may be accidentally using the wrong number, or it may be more sinister. Sorry, but I don't know more.
      • well, there were two separate transactions made on two consecutive days--one for ~$90 and one for ~$30. so i don't think it could have been a surcharge. but thanks the tip anyway.

        • LSD,

          The guy telling you that was wrong, anyway.

          Paypal GIVES you a few cents, twice, to verify your account.

          If you have two charges, chances are, something is amiss.

          WaMu is still in business?

          --Toll_Free

          • they're now part of JPMorgan Chase, so technically they're still in business, but they're under new management.

            i was hoping the change in ownership would be a good thing, but so far my experience with their customer service regarding banking fraud has been rather underwhelming. there's no dedicated support line for identity-theft/banking fraud/mischarges, and it's practically impossible to get a hold of a human operator even on weekdays during their regular business hours.

            i'm wondering if i should contact P

            • PayPal would be my first choice, since they are / where the ones that processed the transaction to your fathers account. I believe they have stop-gap prevention measures in place, as long as you act soon enough. I've never had to go that far, only once was I conned on ebay. Finding out the High School kids mothers work number, and giving her a call about her scammer kid at work was enough to get me my car stereo I purchased :)

              WaMu, I haven't had a lot of experience with. I tend to go to credit unions, a

    • It's likely he didn't think that all the way through. You have to remember that criminals are often not all that savvy. He may have just assumed that the money would be paid and that'd be it. True, if the company didn't contact the FBI. However if it was paid out as a setup, pretty likely they'd find out who he is. Money is rather traceable, when necessary.

      That's one reason why you almost never see kidnapping for ransom in the US. Used to happen, but you find out that the FBI has a 100% closure rate these d

    • Re: (Score:1, Interesting)

      by Anonymous Coward

      Simply put the money goes into accounts either in the Grand Cayman's which will not allow any tracking or bounces through 100 accounts before it hits a bank in a former communist country.. in either case the banks and/or the country will not cooperate with the rest of the world

    • Either Western Union or bank wire.
    • Wire it to a bank in one of a number of countries where it is illegal to even ask who owns a bank account. There aren't as many places today, but there are still a few where accounts are all numbers. It's a numbered account and you have an id number, not a name. You call in, give the proper ID number and password and wire the money on to another bank, usually controlled by your friends in the >.

  • by erroneus ( 253617 ) on Saturday November 15, 2008 @10:49AM (#25770695) Homepage

    I think some minimum security requirements are needed by law before people will start securing personal data like this. I think one thing preventing this is the wide deployments of Windows out there that could never meet strict security requirement. (That is just my bias talking) The web server www.express-scripts.com is reported by nmap as running freebsd, but it also shows a few ports in the 8000 range "closed" but otherwise detected. I have to wonder what that's about... nmap identifies one of them as an apple-iphoto service port of some kind. I am sure that can't be right.

    IT has always been a wild-west environment where anyone can claim to be an expert. People set things up with no standards. It doesn't help that executives with no understanding of technologies or risks insist on things being done in spite of risks they are presented with. Even as there are problems all around with important data being lost, stolen, misplaced or exposed, people fail to look to the cause and prevention aspects of these problems. I cannot imagine this changing until people are threatened with massive fines or imprisonment. The fines that many businesses suffer in other areas are insufficient deterrent and become factored into business budget plans... the fines must be MASSIVE.

    • by tsm_sf ( 545316 )
      Do you frequently port scan sites you don't own? Just curious...
      • Re: (Score:1, Insightful)

        by Anonymous Coward

        And what would be wrong with that? If you run a server, it's your decision which services you make available to the public. Port scanning is just like window shopping.

        • I have some services running on my local network. Namely, I have XDMCP, and PulseAudio publicly announcing every X time that services are being offered. Samba sits alone, as does ssh and a few other apps.

          The key: Apache has no "announce" option to the backbone to the net, nor will it ever do that. Announcing is for private networks in which total announced messages will be negligible.

          That said, how are we supposed to figure out what services are being offered and where? Many sites offer http:80 [80], http:8080 [8080],

      • Before I open my mouth and say "hey, they are probably running windows!" I thought it best to do essentially the same thing NetCraft does. Port scanning is not an attempt at entry.

        But to answer your question: no, I don't. I just use the legal resources I have available to me to get some facts before I make comments. Not only do I RTFA most of the time, I also do what fact-checking I can within a few seconds... don't you?

        • by Splab ( 574204 )

          That sure depends on what country you are in.

          Some years back a kid in Denmark got hit with attempted hacking because he was port scanning sites, the court found him guilty because he not only had NMAP but other tools that in conjunction could be used for hacking.

          • NMAP and nc is all one really needs to hack other computers on the net.

            • by dotgain ( 630123 )
              If you know what vulnerability you'd be attacking up front (e.g. an historical web server buffer overflow / stack smash) all you need is a compiler / assembler for whatever language you choose. Difference with nmap and nc is, they're more readily idendifiable as tools that could assist breakins.
              • Well, true.

                As for scanners, they evolved from shell scripts that ping, udp-ping and tcp-ping the target based upon switches. I remember hacking a rudimentary one together on a heavily locked-down network. It got it's job done, and nobody was the wiser.

                Making your own tools also helps when you are on windows machines that find "hacktools" as viruses and refuse to let them run. Of course, that's where a packer comes in.

    • Re: (Score:3, Insightful)

      You seem to be going on the assumption that somehow the breach was somehow done through purely technical means. This may very well not be the case. Maybe somebody lost some data through leaving it on a laptop/memory stick, maybe someone who works for the company got this info, or it could very well have been obtained with some good old fashioned social engineering.
      • You seem to be assuming something I never wrote. I specified any number of ways breeches happen including "lost and misplaced" things.

        However, with that said, it is stupid for people to be able to walk around with data on laptops at all. If it is important, it is important that it stay locked up and accessed remotely and securely... and really, best if it isn't even remotely at all.

        What business does anyone have with needing to have such important data as large contact/customer/personal-records databases

      • Wasn't there a slashdot story within the last year or two about someone sprinkling a handful of small USB thumb drives on the ground outside a bank branch that used Windows? And that before the day was out, about half of the memory sticks had "phoned home"?

        Social engineering is much too easy.

        And professionals can't even agree that it's a terrible idea to put, say, flood control dam control computers on the internet.

        I can't count the number of times during "customer service" type calls where the employee ve

        • Linux and Mac both can stop "bad thumbdrives", although I dont know if you can disable the auto-run part of the windows software. I've succeeded on cd's, but the problem still affects floppies (yeah.), HD's, and thumbdrives. I run a VBox session of WinXP when I need to run that windows-only software that doesnt run correctly in Wine, so I can also test reg-edits that may bork my system.

          In the Linux world, you just dont have permissions to exec mount, or to use FUSE. There. Solves that problem. Better yet, I

          • by Bungie ( 192858 )

            although I dont know if you can disable the auto-run part of the windows software. I've succeeded on cd's, but the problem still affects floppies (yeah.), HD's, and thumbdrives.

            You can use TweakUI from the Microsoft Powertoys for XP [microsoft.com] to disable autorun on removable storage devices. It also allows you to manually select which drive letters are allowed to use autorun so you can disable it on floppies and fixed disks.

            • I may know Linux more, but Im very aware of PowerTools. I also have the reg-dumps to do the same.

              The problem is they dont stick. If I reboot, they may disable autorun, or it may run again. You might as well flip a coin. I've yet to find how to make sure it sticks.

  • Gimme back my son!

  • and $3 Million if you also bring along the exploit code, so we know what got past.

  • by mpapet ( 761907 ) on Saturday November 15, 2008 @11:05AM (#25770765) Homepage

    Instead of having an article entitled "Millions of identities stolen" with text like "massive compromise" we have a revenge story.

    That's why corporate officers get paid the big bucks. They screw you and you feel good about it.

    • by dotgain ( 630123 )
      And even if they do catch the perp (and the headlines read something seemingly glamorous) who's to know whether the data won't still be in someone else's hands? - net result adding a $1m insult to $? injury.
  • What's that movie called which, along the same lines, someone kidnapped a relative and the guy offered the ransom money to anybody who would give info which would help capture the kidnapper, instead of giving it to the kidnapper?
  • So I guess they value their user's privacy at $1 million dollars.

    Does anyone know if this is close to the price the black market actually pays for SSN/medical records/credit card numbers?

    The guy is claiming to have information on millions of users (who knows it it's true, he could be bluffing) and the company is willing to spend $1 million as a reward to find him. That means they value each record at less than $1 each.

    This seems like a pretty dangerous poker game to be playing when you're talking a
    • There's the question of what they can afford to pay. I may value my personal information at $1 mil, but I couldn't pay that if I actually had to for some reason. They are in a situation that they could actually have to pay this. I'd rather them do this than pay the fee, as I would expect someone to dump the records onto the black market anyways after they got paid. Why would you expect honor from a thief?
      • > They are in a situation that they could actually have to pay this. I'd rather them do
        > this than pay the fee, as I would expect someone to dump the records onto the black
        > market anyways after they got paid. Why would you expect honor from a thief?

        No need to postulate honor. He may be planning on doing this again.

        On the other hand, perhaps he has done it before and did as you suggest, with the result that you see. Besides, whether they pay the ransom or not the company must behave as if the ext

  • by freelunch ( 258011 ) on Saturday November 15, 2008 @12:06PM (#25771077)

    Many 'pharmacy benefit management' companies profit by selling information about your drug purchases - and probable ailments - to the highest bidder. This is a gray area of the law. You are typically NOT able to opt-out of this selling of your information. HIPPA doesn't cover this, just like it doesn't cover off-shore companies who sell your data. It is a rapidly growing market.

    Insurance companies like Humana even make a point of mentioning that they will disclose your health data to third parties who may not be subject to privacy regulations.

    So I have to ask, who is more evil here?

    • by jellie ( 949898 )

      Just to add to that, these very same companies often have exclusive distribution rights [nytimes.com] for specialty drugs that often cost thousands of dollars a month. "Pharmacy benefit managers" reap huge profits from these drugs, even though it runs against the company's supposed goal of saving money.

    • by Nicolas MONNET ( 4727 ) <nicoaltiva&gmail,com> on Saturday November 15, 2008 @12:31PM (#25771211) Journal

      Covered by personal data protection laws; you seriously need one of those in the US. (And yeah, I know the libertardian argument against it (that it would cost zillions to business (which is obviously wrong (but that would not stop a 'tardian, would it?))))

      Additionally, as I understand it, this kind of things is also considered a major breach of pharmacist/patient privilege around here. Any pharmacist who would leak this info in the first place would quickly lose his license, on top of being criminally prosecuted. I don't even think the insurance companies get detailed info about what they're reimbursing as far as prescription meds are concerned.

      • > Covered by personal data protection laws; you seriously need one of those in the US.

        Sure. Then we can have police cameras in the restrooms, too.

        > Any pharmacist who would leak this info in the first place would quickly lose his license...

        Yes, that is the case in the US.

  • by mi ( 197448 )

    I would've applauded the company's stance immediately, had it not been for a nagging though: the data is not entirely theirs .

    What's less ethical: paying off a blackmailer, or risking your customer's very sensitive data?

    Then, again, there is no guarantee, the blackmail will ever stop anyway — even embarrassing photos can be copied before returning, digital files are practically guaranteed to remain in the scumbag's possession — so trying to apprehend the guy would still seem like the right t

    • You can't unring the bell. If the data is leaked, paying a blackmailer doesn't "unleak" it.

    • by cdrguru ( 88047 )

      Say he is caught. Exactly what might be be charged with?

      Stealing records? Can't be - they never left the original company.

      Violating privacy? Not a crime in most jurisdictions.

      And if they are in a country that really doesn't give a rat's ass about American companies and American laws, then he isn't getting prosecuted for anything, ever.

  • My childhood dream of being a digital bounty hunter is possible at last! :D Seriously, more bounties on internet crime (even if this specific incident sounds like an inside job). The feds are way to slow on the ball. Private actors could resolve things like this much better, with the caveats of not having access to mass-surveillance, and probably committing crimes themselves to investigate people, eg. pretexting. Private investigators and "physical" bounty hunters are rumored to do this all the time, thoug
  • I know the implications this has on individual privacy but I am angry at the corporate greed and irresponsibility currently going on so a part of me cheers this individual on. If they can get a cool million, fine! It'll send a message against invincibility to the corporation. Maybe it will cause Express to humble itself a bit.
  • better to put it in escrow for the coming lawsuits regarding careless handling of private information.

    Tho I suppose if even a small percent of the "millions" exposed all take up legal action (or class action it?) as a result of the extortionist exposing their records, 1M won't get them off to a very good start. I wonder how much the courts would judge for damages regarding mishandling and loss of personal information like that, per-victim? Paying a $1M bounty on his head is probably a good deal for Expres

    • by cdrguru ( 88047 )

      First off, I don't think you can sue the company unless you can prove they were somehow incompentent. Just having someone crack their security does not mean they were not taking reasonable precautions. And if they were taking what is considered to be (legally) reasonable precautions, then you aren't going to win suing them.

      So there isn't going to be any class-action lawsuit. Hasn't happened yet, and unless you have proof of incompentence, there isn't going to be one.

      As for catching the people doing this,

      • by v1 ( 525388 )

        First off, I don't think you can sue the company unless you can prove they were somehow incompentent. Just having someone crack their security does not mean they were not taking reasonable precautions. And if they were taking what is considered to be (legally) reasonable precautions, then you aren't going to win suing them.

        I'd still try, even if this weren't medical records. Now when you're dealing with medial records it's a whole new ball game. Significantly higher ante. Handling that stuff requires com

  • These people provide my benefits.

    Time to start ordering credit reports every month, yay!!

  • Does the reward stipulate where they must be captured and convicted? If the guy is out of the country its pretty unlikely that he'll be captured and convicted in the United States. If he's in one of the many places where the local government can't or doesn't care enough to, arrest and put him on trial, the reward is absolutely useless.

    This isn't like calling the tip line where you give a tip on a local drug dealer the cops can capture and convict in a matter of months. This is probably an internationa
  • This guy is hurting millions of hard working people who just want to be able to buy medication at a reasonable price when they need it. Too bad Express Scripts couldn't have hired some skilled person to hunt him down and quietly take him out at the first sign of this problem. He certainly deserves it.

  • So let the extortionist have the drugs they were sending me.

  • $1,000,000 in extortion to extract a promise "not to reveal any patient information...yet" or $1,000,000 to hire private investigators and/or a hit man. The latter is far more effective.

  • What the heck, might as well add that contingency. It doesn't suggest someone off the bastard, just that if he happens to be cold when turned in, the offer's still good. All the more fear factor added to the offense-as-defense.

"Everything should be made as simple as possible, but not simpler." -- Albert Einstein

Working...