Like most scary stories, what's happening to Express Scripts is compelling.
The company has received a letter with the names and vital information including, in some cases, prescription information of 75 members. The sender of the note threatens to release millions more if they are not given an undisclosed amount of money. The story had little more information.
While the Express Scripts situation is unique, blackmail and extortion are unpleasant realities of consumer and corporate life online. Well-known consultant Bruce Schneier says that denial of service (DoS) extortion is growing. To date, he says, such activity threatening to bombard a network with an impossible-to-handle level of requests has targeted fringe industries such as online gambling and pornography sites located in offshore locations. The implication is, however, that that could change in a hurry.
The key is that there are huge armies of botnet computers, and whether the businesses that they are let loose to attack are hawking pictures of naked people or medical records is immaterial, though the legit businesses may be better protected. Indeed, this piece at Zeal's World has a description that isn't too different from Schneier's except that it says banks and online retailers are likely targets. This Dark Reading piece, which describes a report from the Georgia Tech Information Security Center, only mentions blackmailing DoS attacks in the first paragraph. That's enough, however. The report offers a frightening picture of the growth of botnets. The idea is that these armies of unwilling soldiers can be used to threaten networks. Indeed, the report says that one of the next big issues will be cellphone botnets that threaten mobile carriers. Blackmail is only one of the ways in which the botnets can make money for criminal gangs. It is, however, one of the scariest.
The best scary tales offer laughs amidst the chills. People's Daily Online says that four employees of a security firm in Shanghai were captured after launching a DoS attack against gaming companies in Beijing and then trying to get them to buy its firewalls. A firm was hired and the blackmailers tracked down. The funny part is that the brains behind the operation, a 19-year-old, apologized and said that he was attracted by the money. He was quoted as saying that he applied [his] talents in the wrong way and in the future will stay within the law. If only all other cyber extortionists were so easily reformed.