Extortion threat exposes “potential large data breach”

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Express Scripts handles the medical prescriptions of millions of Americans every year through home delivery and at retail pharmacies. That’s a lot of important data for the Fortune 150 company to look after.

You can, therefore, understand why Express Scripts took a recent letter that threatened to expose millions of the company’s medical customers’ records seriously.

According to media reports and a press release by the firm, an unknown person or persons sent an extortion letter to the company in early October, including the names, dates of birth, social security numbers, and prescription information of 75 customers.

Express Scripts has published information on its website

Sign up to our free newsletter.
Security news, advice, and tips.

Express Scripts has done the right thing.

Firstly, it hasn’t paid any money. That’s important because paying blackmailers only encourages them to ask for more money, or to steal from others.

Express Scripts has also called in the FBI, and begun its own investigation into how the security of their databases might have been breached.

Furthermore, it has gone public on the incident. A press release has been posted to the wires, and a section set up on their website explaining to customers that there has potentially been a large data security breach. Imagine what the implications might have been if they had tried to hush up the incident, paid off the blackmailer, and never told their customers about the possible slip-up.

What’s interesting to me is that having got his paws on the data (we don’t know presently whether he has only got 75 records or perhaps millions..) the criminal chose to try and extort money out of Express Scripts. He notably didn’t try and exploit the identity information himself, as far as we can tell, and he didn’t try and sell the data on via the computer underground.

That suggests to me that either he thinks he can make more money by blackmailing Express Scripts (sorry buster, it doesn’t seem that they want to play ball..) or that he simply isn’t circulating in the right underground circles to know how to fence the information on to other criminals.

Although we did hear a story recently about a chap accused of trying to get money out of Maserati after allegedly stealing customer information, it’s pretty rare to hear stories of data thieves trying to extort money their victims rather than the more “conventional” stories of distributed denial-of-service (DDoS) and ransomware blackmail attempts.

Whether that’s because firms who are targeted by data thieves don’t make the incident public like Express Scripts have is hard to say.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.