Apparently, hackers stole even more of Express Scripts’ member information than was initially revealed last fall. An additional 1,771 New Hampshire residents are being sent data breach notification letters this week, according to a September 14 letter from Express Scripts.

Express Scripts, one of the world’s largest pharmacy benefits management companies, revealed in November 2008 that hackers demanded ransom in exchange for stolen customer information. Unless the ransom was paid, the hackers threatened to reveal the members’ information.

To strengthen their threat, the hackers sent personal information–including names, birth dates, Social Security numbers and some prescription details–of 75 of the firm’s 50 million customers.

Express Scripts publicly refused to pay the ransom, even after some of their customers received similar letters, extortion attempts and sample employee information. Toyota, government agencies and labor unions were among those contacted by the hackers.

In response to the hackers ramped up threats, Express Scripts offered a $1 million reward to anyone providing information leading the arrest and conviction of the hackers.

The identification of additional data breach victims in New Hampshire came from new information from the FBI, according to the recent letter sent from Express Scripts’ Vice President and Deputy General Counsel Janice Forsyth to New Hampshire Attorney General Michael Delaney.

It is unclear whether FBI forensics discovered more victims or the hackers contacted them with additional information.

Express Scripts has never revealed how many members were affected by the data breach, or how much ransom the extortionists demanded.

“There are thousands of companies that have already paid off extortionists in return for not having their customer’s data exposed,” Alan Paller said when Express Scripts made their initial announcement. Paller is research director of SANS Institute, a computer security training group.

“This is especially true in the financial industry, as some banks are getting more than one new extortion demand a day,” Paller said.

Click Here To Bookmark It

Hide Sites

Apparently, hackers stole even more of Express Scripts’ member information than was initially revealed last fall. An additional 1,771 New Hampshire residents are being sent data breach notification letters this week, according to a September 14 letter from Express Scripts.

Express Scripts, one of the world’s largest pharmacy benefits management companies, revealed in November 2008 that hackers demanded ransom in exchange for stolen customer information. Unless the ransom was paid, the hackers threatened to reveal the members’ information.

To strengthen their threat, the hackers sent personal information–including names, birth dates, Social Security numbers and some prescription details–of 75 of the firm’s 50 million customers.

Express Scripts publicly refused to pay the ransom, even after some of their customers received similar letters, extortion attempts and sample employee information. Toyota, government agencies and labor unions were among those contacted by the hackers.

In response to the hackers ramped up threats, Express Scripts offered a $1 million reward to anyone providing information leading the arrest and conviction of the hackers.

The identification of additional data breach victims came from new information from the FBI, according to the recent letter sent from Express Scripts’ Vice President and Deputy General Counsel Janice Forsyth to New Hampshire Attorney General Michael Delaney.

It is unclear whether FBI forensics discovered more victims or the hackers contacted them with additional information.

Express Scripts has never revealed how many members were affected by the data breach, or how much ransom the extortionists demanded.

“There are thousands of companies that have already paid off extortionists in return for not having their customer’s data exposed,” Alan Paller said when Express Scripts made their initial announcement. Paller is research director of SANS Institute, a computer security training group.

“This is especially true in the financial industry, as some banks are getting more than one new extortion demand a day,” Paller said.

Click Here To Bookmark It

Hide Sites

Express Scripts announced two weeks ago that extortionists had contacted them and threatened to release personal and medical information on their clients if they failed to meet the criminals’ demands. Express Scripts contacted the FBI instead, and refused to cave to the extortionists’ demands.

Well, the story has taken more than one interesting turn since that initial announcement.

The extortionists–faced with Express Scripts’ staunch refusal to pay up—have apparently had to come up with a B-plan. Express Scripts announced last week that some of its clients—government agencies, unions, and employers—had received letters similar to the one sent to Express Scripts in October. The letters demand the companies’ pay up, or the extortionists say they’ll release the personal and medical information of their members.

Express Scripts announced at the same time that they have established a $1 million reward for anyone providing information that leads to the arrest and conviction of the criminals responsible for stealing the members’ data and issuing the ransom demands.

At the time of their original statement, officials with Express Scripts said they received comprehensive information on 75 of their members along with the demand for ransom. At the time they said they didn’t know how the information had been obtained.

“We have been conducting a thorough investigation since we received this threat and we are taking it very seriously,” said George Paz, chairman and chief executive officer. “Express Scripts is committed to the privacy and security of our members’ personal information, so a threat like this against our members is outrageous.”

Visit LifeLock.com to learn more about their identity theft. Enroll using the Life Lock promotional code Defense for the best prices available.

Click Here To Bookmark It

Hide Sites

Express Scripts has gone public today with information that they were contacted early in October by extortionists who threatened to disclose personal and medical information on millions of the company’s customers if Express Scripts doesn’t meet their ransom demands.

The ransom request was sent by mail and accompanied by the names, birth dates, Social Security numbers and, in some cases, prescription details, of 75 of the firm’s 50 million customers.

George Paz, Express Scripts’ chief executive, said the company will not pay the ransom, but declined to say how much money the extortionists demanded.

Express Scripts is one the largest pharmacy benefit management companies, and handles approximately 500 million prescriptions a year.

A company spokesman said they contacted the Federal Bureau of Investigations when the received the ransom demand last month, but still don’t know how the stolen information was obtained.

What makes this situation unique is Express Scripts’ unwillingness to pay up, according to Alan Paller, director of research for the SANS Institute, a computer security training group.

“There are thousands of companies that have already paid off extortionists in return for not having their customers’ data exposed,” Paller said. “This is especially true in the financial industry, as some banks are now getting more than one new extortion demand a day.”

Paller said few cases like Express Scripts’, involving cyber and data extortion, become public because their victims usually prefer to pay the ransom and avoid the publicity.

LifeLock is an industry leader in identity theft services, with almost 1.5 million members in the United States. Visit their website at LifeLock.com and see how they can help protect your finances, credit standing and your good name.

Sign up for their innovative services using the Life Lock Promotion Code Defense and get the lowest price with 30 days of free identity theft protection.

At the end of the 30-day free period, your card will be automatically billed $9 monthly unless you cancel within that first 30-day period. You can cancel anytime without penalty by calling 1-800-LIFELOCK. This offer is for new LifeLock members only.

Click Here To Bookmark It

Hide Sites