$1M Reward Offered To Nab Data Breach Extortionist 134
alphadogg writes with this excerpt from NetworkWorld:
"Express Scripts, the pharmacy benefits management company which recently disclosed an extortionist is demanding money by threatening to expose millions of patient records the company holds, Wednesday said it has decided to offer $1 million to nab the perpetrator. 'We're going on the offense with this reward,' an Express Scripts spokesman said. The $1 million will be paid to anyone who provides information leading to the capture and conviction of the extortionist who sent a letter to Express Scripts in early October that contained personal information on 75 people, considered members, who use the company's pharmacy-benefits services. The extortionist claims to have information on millions more Express Scripts members and wants money to not reveal it."
IT'S ME (Score:1, Funny)
The same principle as not dealing with terrorists (Score:4, Insightful)
Terrorize the slimebag instead. Make him wonder which one of his buddies that he bragged to will turn him in.
Re:The same principle as not dealing with terroris (Score:3, Insightful)
And if he's too smart for that? Might just piss him off and he might release the names regardless of payment.
If i was the guy, i bet i worked alone and would call their bluff and laugh at them.
Re: (Score:2)
And if he's too smart for that? Might just piss him off and he might release the names regardless of payment.
If i was the guy, i bet i worked alone and would call their bluff and laugh at them.
Doesn't matter. You'd eventually get caught.
Re: (Score:3, Insightful)
The smart ones don't.
Re: (Score:2)
The smart ones don't.
The smart ones don't do it in the first place.
That's like making a reference to people doing meth, and then referring to one of them as 'the smart one'.
Re:The same principle as not dealing with terroris (Score:5, Insightful)
You cant compare theft to drug use.
Smart people do commit crimes ( morals have nothing to do with intelligence ). The dumb ones get caught and serve time.
Re: (Score:3, Funny)
You cant compare theft to drug use.
Smart people do commit crimes ( morals have nothing to do with intelligence ). The dumb ones get caught and serve time.
Well crap. I'd mod you insightful, but I already posted...
Re: (Score:2)
To "call their bluff" you must sell the data to someone. That someone just might decide he could use another $1M.
Re: (Score:2)
Well you don't just put it on ebay...
The value of the data might just be more then the reward.
Re: (Score:2)
Re: (Score:2)
The 1 million for conviction is nice, but they should also offer a $50,000 reward just for his arrest because convictions can take years but arrests usually happen within days of police finding evidence.
I'd turn in my friends for 50 grand if they did something so stupid, but then, how do you get rewarded for securing a company's security holes? If he politely told them what they did wrong, he'd be accused of being a hacker
Opportunity (Score:5, Interesting)
All the extortionist need do now is move the data to someone else's machine then shop him in.
Re: (Score:2)
The situation here isn't a "we want the data back" it's "we want to stop the perp"....different situation.
Re: (Score:2)
You mis understand the GPs point, all the perp has to do is frame someone else for the crime and said perp gets to keep the 1 million while someone innocent gets charged with his crime.
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Of course not, they're all completely incompetent! They got their jobs by sending in a coupon off a cereal box!
Re: (Score:2)
For $1M, the perp may be encouraged to try some Ninja access. Dead-tree plant in your residence and an anonymous phone call... that's all it would take.
Re: (Score:1)
For $1M, the perp may be encouraged to try some Ninja access. Dead-tree plant in your residence and an anonymous phone call... that's all it would take.
How do you collect the reward if you report it anonymously?
You might be correct (and super paranoid;-) if you rephrase it that the company frames someone they don't like and claim that there was an anonymous tip. That way the company gets free publicity by offering a reward but doesn't have to actually pay the $1M.
Besides I'm sure anyone trying to claim $1M will be thoroughly investigated as well.
Re: (Score:2)
For a company that couldn't protect their data, didn't know they had been hacked, and didn't have records to investigate after the fact, do you think they really know what they want?
As for who the perp is, I think there's more than one person. The extortionist, to be sure, should be caught and brought to justice, but so should the perps on the inside, who, through gross negligence or incompetency, let
Re:Opportunity (Score:5, Insightful)
I think there may be a small problem with that. Didn't the USA offer a reward similar to this for Osama Bin Laden?
The trouble with being a friend of this extortionist is that all your sins are likely to be discovered if you turn them in, even if you do get the money.
I'd like to see the reward work, but am not holding my breath for it.
Re: (Score:2)
all your sins are likely to be discovered if you turn them in
$1 million would make me care very little about my own sins or who knows about them.
Re: (Score:1, Flamebait)
I think that it is sad that people are such cowards that having their prescription histories made public would worry them.
Re:Opportunity (Score:4, Insightful)
I think that it is sad that people are such cowards that having their prescription histories made public would worry them.
It isn't about cowardice.
It's about not wanting your employer to maybe fire you because you have an AZT prescription or are on chemotherapy or are on medicine for ADD/ADHD and have a job working with million dollar custom surface-mount circuitry or are a neurosurgeon.
Re: (Score:2)
I am sure that a big bunch of their customers are prescription drug addicts.
Re: (Score:2)
I think that it is sad that people are such cowards that having their prescription histories made public would worry them.
It isn't about cowardice. It's about not wanting your employer to maybe fire you because you have an AZT prescription or are on chemotherapy or are on medicine for ADD/ADHD and have a job working with million dollar custom surface-mount circuitry or are a neurosurgeon.
why would your employer fire you if you have one of those diseases when you are doing a good job?, I don't see why a competent employer would fire its best employees just because they have a disease
You're assuming an honest employer. Many companies would fire people with health problems on the chance that they might cause a heavy health insurance burden or if their medical condition might cause a future liability problem.
They won't say it's because of the medical issue of course - they'll find some other excuse.
Re: (Score:2)
No one wants to be treated by a surgeon with a medical problem. When it's your life on the line you want someone who doesn't need pills to keep them concentrating.
No one wants their lawyer to be on treatment for alcoholism.
Lots of people don't want their daughters to take contraceptive pills.
The list goes on and on. There are a lot of valid reasons not to want your medical history public, and given that it's YOUR medical history that shouldn't be a problem.
Re: (Score:3, Insightful)
The subsequent criminal investigation — capture and conviction are the conditions for the reward — is likely to reveal the truth anyway. Slipping somebody a gun, or bag of cocaine, or stolen (hey, at least, we aren't arguing about the applicability of the term here!) data does make the person a suspect, but not a convict — unless a policeman is doing it, for judges tend to trust those people...
Th
Re: (Score:2)
Quite possibly they're hoping he does something 'smart' like this and thus gives himself away to the authorities. Anyone trying to claim the reward would I'm sure come under a lot of scrutiny, and likewise for the alleged criminal.
William Gibson! (Score:3, Funny)
Pharmacom called.
They're upset that the records on the Black Shakes might be released. Did Johnny Mnemonic loop it through Jones?
Re: (Score:1, Insightful)
::notices you apparently don't have any idea who William Gibson or Johnny Mnemonic are::
This is your official confirmation that you're not geekworthy enough to post here.
Please cancel your account.
hint [wikipedia.org]
Re: (Score:2)
Such smugness.
This [wikipedia.org] is your official confirmation that you fit right in the the weekend wannabees. Buh-bye!
Re: (Score:2)
Re: (Score:2)
ha ha ha... FAIL.
Read more.
how would the extortionists collect the payment? (Score:4, Insightful)
isn't there a way to track the bank account that the payment is transferred to? how do those DDoS extortion rings collect the money that they demand from online businesses? i mean, if the criminals are asking that the money be wired to a specific account, couldn't the bank determine what bank that account belongs to (how else would they wire the money)? if the bank is located in a country that has an extradition treaty with the U.S. then they could just wire the money and catch the crooks when they try to access the account.
on a separate note, my father recently had some inexplicable PayPayl "instant transfers" show up on his checking account statement. however, he hasn't used PayPal or purchased anything from PayPal merchants in over 2-3 years. does anyone know if there is a common identify-theft or banking fraud technique involving the use of PayPal and checking accounts? or could this perhaps just be a computer error? i'm just wondering because if this is a sign of identity-theft then i need to have my dad cancel his checks and credit cards. and so far Washington Mutual has been very unhelpful regarding this situation.
Re: (Score:1)
If I were an extortionist, a simple everyday bank account "at the bank over there at the street corner" would be the last thing I'd be using.
A Swiss bank perhaps? I think there may be countries that are even more "secure" for the perp.
Re: (Score:2)
Re: (Score:2)
well, there were two separate transactions made on two consecutive days--one for ~$90 and one for ~$30. so i don't think it could have been a surcharge. but thanks the tip anyway.
Re: (Score:2)
LSD,
The guy telling you that was wrong, anyway.
Paypal GIVES you a few cents, twice, to verify your account.
If you have two charges, chances are, something is amiss.
WaMu is still in business?
--Toll_Free
Re: (Score:2)
they're now part of JPMorgan Chase, so technically they're still in business, but they're under new management.
i was hoping the change in ownership would be a good thing, but so far my experience with their customer service regarding banking fraud has been rather underwhelming. there's no dedicated support line for identity-theft/banking fraud/mischarges, and it's practically impossible to get a hold of a human operator even on weekdays during their regular business hours.
i'm wondering if i should contact P
Re: (Score:2)
PayPal would be my first choice, since they are / where the ones that processed the transaction to your fathers account. I believe they have stop-gap prevention measures in place, as long as you act soon enough. I've never had to go that far, only once was I conned on ebay. Finding out the High School kids mothers work number, and giving her a call about her scammer kid at work was enough to get me my car stereo I purchased :)
WaMu, I haven't had a lot of experience with. I tend to go to credit unions, a
Re: (Score:2)
It's likely he didn't think that all the way through. You have to remember that criminals are often not all that savvy. He may have just assumed that the money would be paid and that'd be it. True, if the company didn't contact the FBI. However if it was paid out as a setup, pretty likely they'd find out who he is. Money is rather traceable, when necessary.
That's one reason why you almost never see kidnapping for ransom in the US. Used to happen, but you find out that the FBI has a 100% closure rate these d
Re: (Score:1, Interesting)
Simply put the money goes into accounts either in the Grand Cayman's which will not allow any tracking or bounces through 100 accounts before it hits a bank in a former communist country.. in either case the banks and/or the country will not cooperate with the rest of the world
Re: (Score:2)
Re:how would the extortionists collect the payment (Score:2)
Wire it to a bank in one of a number of countries where it is illegal to even ask who owns a bank account. There aren't as many places today, but there are still a few where accounts are all numbers. It's a numbered account and you have an id number, not a name. You call in, give the proper ID number and password and wire the money on to another bank, usually controlled by your friends in the >.
More customer data... (Score:5, Insightful)
I think some minimum security requirements are needed by law before people will start securing personal data like this. I think one thing preventing this is the wide deployments of Windows out there that could never meet strict security requirement. (That is just my bias talking) The web server www.express-scripts.com is reported by nmap as running freebsd, but it also shows a few ports in the 8000 range "closed" but otherwise detected. I have to wonder what that's about... nmap identifies one of them as an apple-iphoto service port of some kind. I am sure that can't be right.
IT has always been a wild-west environment where anyone can claim to be an expert. People set things up with no standards. It doesn't help that executives with no understanding of technologies or risks insist on things being done in spite of risks they are presented with. Even as there are problems all around with important data being lost, stolen, misplaced or exposed, people fail to look to the cause and prevention aspects of these problems. I cannot imagine this changing until people are threatened with massive fines or imprisonment. The fines that many businesses suffer in other areas are insufficient deterrent and become factored into business budget plans... the fines must be MASSIVE.
Re: (Score:2)
Re: (Score:1, Insightful)
And what would be wrong with that? If you run a server, it's your decision which services you make available to the public. Port scanning is just like window shopping.
Re: (Score:2)
I have some services running on my local network. Namely, I have XDMCP, and PulseAudio publicly announcing every X time that services are being offered. Samba sits alone, as does ssh and a few other apps.
The key: Apache has no "announce" option to the backbone to the net, nor will it ever do that. Announcing is for private networks in which total announced messages will be negligible.
That said, how are we supposed to figure out what services are being offered and where? Many sites offer http:80 [80], http:8080 [8080],
Re: (Score:2)
Before I open my mouth and say "hey, they are probably running windows!" I thought it best to do essentially the same thing NetCraft does. Port scanning is not an attempt at entry.
But to answer your question: no, I don't. I just use the legal resources I have available to me to get some facts before I make comments. Not only do I RTFA most of the time, I also do what fact-checking I can within a few seconds... don't you?
Re: (Score:2)
That sure depends on what country you are in.
Some years back a kid in Denmark got hit with attempted hacking because he was port scanning sites, the court found him guilty because he not only had NMAP but other tools that in conjunction could be used for hacking.
Re: (Score:2)
NMAP and nc is all one really needs to hack other computers on the net.
Re: (Score:1)
Re: (Score:2)
Well, true.
As for scanners, they evolved from shell scripts that ping, udp-ping and tcp-ping the target based upon switches. I remember hacking a rudimentary one together on a heavily locked-down network. It got it's job done, and nobody was the wiser.
Making your own tools also helps when you are on windows machines that find "hacktools" as viruses and refuse to let them run. Of course, that's where a packer comes in.
Re: (Score:2)
udp-ping and tcp-ping ? come again ?
Re: (Score:3, Insightful)
Re: (Score:2)
You seem to be assuming something I never wrote. I specified any number of ways breeches happen including "lost and misplaced" things.
However, with that said, it is stupid for people to be able to walk around with data on laptops at all. If it is important, it is important that it stay locked up and accessed remotely and securely... and really, best if it isn't even remotely at all.
What business does anyone have with needing to have such important data as large contact/customer/personal-records databases
Re: (Score:1)
Wasn't there a slashdot story within the last year or two about someone sprinkling a handful of small USB thumb drives on the ground outside a bank branch that used Windows? And that before the day was out, about half of the memory sticks had "phoned home"?
Social engineering is much too easy.
And professionals can't even agree that it's a terrible idea to put, say, flood control dam control computers on the internet.
I can't count the number of times during "customer service" type calls where the employee ve
Re: (Score:2)
Linux and Mac both can stop "bad thumbdrives", although I dont know if you can disable the auto-run part of the windows software. I've succeeded on cd's, but the problem still affects floppies (yeah.), HD's, and thumbdrives. I run a VBox session of WinXP when I need to run that windows-only software that doesnt run correctly in Wine, so I can also test reg-edits that may bork my system.
In the Linux world, you just dont have permissions to exec mount, or to use FUSE. There. Solves that problem. Better yet, I
Re: (Score:2)
although I dont know if you can disable the auto-run part of the windows software. I've succeeded on cd's, but the problem still affects floppies (yeah.), HD's, and thumbdrives.
You can use TweakUI from the Microsoft Powertoys for XP [microsoft.com] to disable autorun on removable storage devices. It also allows you to manually select which drive letters are allowed to use autorun so you can disable it on floppies and fixed disks.
Re: (Score:2)
I may know Linux more, but Im very aware of PowerTools. I also have the reg-dumps to do the same.
The problem is they dont stick. If I reboot, they may disable autorun, or it may run again. You might as well flip a coin. I've yet to find how to make sure it sticks.
Had to be said... (Score:1)
Gimme back my son!
$2 Million if you just bring us their head(s) (Score:2)
and $3 Million if you also bring along the exploit code, so we know what got past.
Nice way to Change the Discussion (Score:5, Insightful)
Instead of having an article entitled "Millions of identities stolen" with text like "massive compromise" we have a revenge story.
That's why corporate officers get paid the big bucks. They screw you and you feel good about it.
Re: (Score:1)
What's the movie called? (Score:1)
Re: (Score:2)
Ransom starring Mel Gibson. Came on this morning.
So I guess they value their user's privacy at (Score:1)
Does anyone know if this is close to the price the black market actually pays for SSN/medical records/credit card numbers?
The guy is claiming to have information on millions of users (who knows it it's true, he could be bluffing) and the company is willing to spend $1 million as a reward to find him. That means they value each record at less than $1 each.
This seems like a pretty dangerous poker game to be playing when you're talking a
Re: (Score:1)
Re: (Score:2)
> They are in a situation that they could actually have to pay this. I'd rather them do
> this than pay the fee, as I would expect someone to dump the records onto the black
> market anyways after they got paid. Why would you expect honor from a thief?
No need to postulate honor. He may be planning on doing this again.
On the other hand, perhaps he has done it before and did as you suggest, with the result that you see. Besides, whether they pay the ransom or not the company must behave as if the ext
Evil Pharmacy benefits mgmt companies (Score:5, Interesting)
Many 'pharmacy benefit management' companies profit by selling information about your drug purchases - and probable ailments - to the highest bidder. This is a gray area of the law. You are typically NOT able to opt-out of this selling of your information. HIPPA doesn't cover this, just like it doesn't cover off-shore companies who sell your data. It is a rapidly growing market.
Insurance companies like Humana even make a point of mentioning that they will disclose your health data to third parties who may not be subject to privacy regulations.
So I have to ask, who is more evil here?
Re: (Score:2)
Just to add to that, these very same companies often have exclusive distribution rights [nytimes.com] for specialty drugs that often cost thousands of dollars a month. "Pharmacy benefit managers" reap huge profits from these drugs, even though it runs against the company's supposed goal of saving money.
Interesting. This is highly illegal in Europe (Score:4, Informative)
Covered by personal data protection laws; you seriously need one of those in the US. (And yeah, I know the libertardian argument against it (that it would cost zillions to business (which is obviously wrong (but that would not stop a 'tardian, would it?))))
Additionally, as I understand it, this kind of things is also considered a major breach of pharmacist/patient privilege around here. Any pharmacist who would leak this info in the first place would quickly lose his license, on top of being criminally prosecuted. I don't even think the insurance companies get detailed info about what they're reimbursing as far as prescription meds are concerned.
Re: (Score:2)
> Covered by personal data protection laws; you seriously need one of those in the US.
Sure. Then we can have police cameras in the restrooms, too.
> Any pharmacist who would leak this info in the first place would quickly lose his license...
Yes, that is the case in the US.
Re:Interesting. This is highly illegal in Europe (Score:4, Informative)
I don't think so. This information has been collected and sold for decades. One of my relatives is a pharmacist. When business was slow, she would fill out a small form for each prescription that was dispensed that day. The data collection company paid a small fee for each completed form. This practice wasn't secret or considered a violation of professional ethics.
Re: (Score:2)
Sure. Then we can have police cameras in the restrooms, too.
UK != Europe
Thank FSM, too.
Ethical? (Score:2)
I would've applauded the company's stance immediately, had it not been for a nagging though: the data is not entirely theirs .
What's less ethical: paying off a blackmailer, or risking your customer's very sensitive data?
Then, again, there is no guarantee, the blackmail will ever stop anyway — even embarrassing photos can be copied before returning, digital files are practically guaranteed to remain in the scumbag's possession — so trying to apprehend the guy would still seem like the right t
Re: (Score:1)
You can't unring the bell. If the data is leaked, paying a blackmailer doesn't "unleak" it.
Re: (Score:2)
Say he is caught. Exactly what might be be charged with?
Stealing records? Can't be - they never left the original company.
Violating privacy? Not a crime in most jurisdictions.
And if they are in a country that really doesn't give a rat's ass about American companies and American laws, then he isn't getting prosecuted for anything, ever.
Re: (Score:2)
Extortion [wikipedia.org]. A crime everywhere.
Finally... (Score:1)
I risk flame or troll on this one (Score:2)
what better to do with the $1M (Score:2)
better to put it in escrow for the coming lawsuits regarding careless handling of private information.
Tho I suppose if even a small percent of the "millions" exposed all take up legal action (or class action it?) as a result of the extortionist exposing their records, 1M won't get them off to a very good start. I wonder how much the courts would judge for damages regarding mishandling and loss of personal information like that, per-victim? Paying a $1M bounty on his head is probably a good deal for Expres
Re: (Score:2)
First off, I don't think you can sue the company unless you can prove they were somehow incompentent. Just having someone crack their security does not mean they were not taking reasonable precautions. And if they were taking what is considered to be (legally) reasonable precautions, then you aren't going to win suing them.
So there isn't going to be any class-action lawsuit. Hasn't happened yet, and unless you have proof of incompentence, there isn't going to be one.
As for catching the people doing this,
Re: (Score:2)
First off, I don't think you can sue the company unless you can prove they were somehow incompentent. Just having someone crack their security does not mean they were not taking reasonable precautions. And if they were taking what is considered to be (legally) reasonable precautions, then you aren't going to win suing them.
I'd still try, even if this weren't medical records. Now when you're dealing with medial records it's a whole new ball game. Significantly higher ante. Handling that stuff requires com
Well, crap. (Score:1)
These people provide my benefits.
Time to start ordering credit reports every month, yay!!
"Capture and Conviction" (Score:1)
This isn't like calling the tip line where you give a tip on a local drug dealer the cops can capture and convict in a matter of months. This is probably an internationa
Hunt him down and take him out. (Score:2)
This guy is hurting millions of hard working people who just want to be able to buy medication at a reasonable price when they need it. Too bad Express Scripts couldn't have hired some skilled person to hunt him down and quietly take him out at the first sign of this problem. He certainly deserves it.
They don't work anyway (Score:2)
So let the extortionist have the drugs they were sending me.
I agree with this approach. (Score:2)
$1,000,000 in extortion to extract a promise "not to reveal any patient information...yet" or $1,000,000 to hire private investigators and/or a hit man. The latter is far more effective.
Dead Or Alive (Score:2)
What the heck, might as well add that contingency. It doesn't suggest someone off the bastard, just that if he happens to be cold when turned in, the offer's still good. All the more fear factor added to the offense-as-defense.
Re:Million dollar reward (Score:4, Informative)
I completely agree. I've known people who have worked for that company. Now anyone dealing with their customer service or prescription filling has to sign an NDA saying that even after leaving, they can't disclose any information. Apparently a lot of famous people like to pop prescription drugs (no surprise there).
Their security at night is lax. The women don't work and instead just find the nearest security guard and closet and have some fun. Either way, it wouldn't be too hard to get a lot of information and dip your hands into the extortion bracket.
Re: (Score:2)
Your second cousin's sister's best ex friend, no doubt.
Just what drug are you taking? Patient data privacy is covered by HIPPA, you don't need an NDA to nail people for things that are blatantly illegal.
Re: (Score:2)
Your second cousin's sister's best ex friend, no doubt.
Hey, dipshit, try to read. I sad "people", not "person", or, "someone". A little comprehension goes a very long way.
Just what drug are you taking? Patient data privacy is covered by HIPPA, you don't need an NDA to nail people for things that are blatantly illegal.
None, jackass. An AC already covered it for me.
Uh, no. Lots of people use medications. Even famous people are subject to the travails and ills of us ordinary folk. And I would be astonished, yes truly astonished, if someone in the rich-and-famous category was using Express Scripts. And further, since I creating yet-another-run-on-sentence that starts with 'and' -- the fun drugs are hard to get from legit mail order pharmacies.
No to what exactly? That famous people aren't well known for abusing prescription drugs? All you need is a prescription from a doctor, durh, and apparently it's not hard to get one if you have the money, otherwise prescription drug abuse wouldn't be so damn easy.
Would you like to continue this conversation in your trollish attitude, or would you
Re:Million dollar reward (Score:5, Insightful)
RTFA, they have upped their security since the letter was sent to them. and since no one knows how exactly the records were stolen, i think you're just talking out of your ass claiming it as "complete stupidity on their part."
at least the company is smart enough to realize that there's no such thing as perfect security (which apparently is more than can be said about you). however, having found themselves in a situation in which their customer records have been stolen, they are taking all precautionary measures the minimize the damage.
they were honest about the breach and came out publicly about it rather than trying to suppress the information. they contacted the FBI, who have launched an ongoing criminal investigation. the company has also hired data security & computer forensics experts to launch their own independent investigation into the matter. additionally, they have contracted a risk-consulting firm to provide free identity restoration services to affected customers in order to mitigate potential damages. they seem to have done everything in their power to redress the situation. what else were they supposed to do? give in to the extortionists' demands and try to sweep this under the rug?
Re: (Score:2, Insightful)
> what else were they supposed to do? give in to the extortionists' demands and try to sweep this under the rug?
Well, that's the most popular option for financial firms, because the financial industry the largest confidence game ever created. I'm not saying this sarcastically -- the entire market is based on the trust and confidence between buyers and sellers; There is no truly "safe bet" in the industry. They went public because there was no way they could do damage control on several million accounts a
Re: (Score:3, Informative)
again, RTFA:
Re: (Score:2)
huh? who said that they were hacked, much less from the internet? they are still trying to determine where the information was leaked from, including the possibility that this was an inside job.
as i said, no one knows how the records were stolen or who was even involved. so pulling facts out of your ass without even bothering to RTFA to understand the situation is more idiotic than anything that can be pinned on Express Scripts at this point.
Re: (Score:1)