Public Ransom Demand Distinguishes Va. Breach in a Data-at-Risk World
A multibillion-dollar industry has grown up around data theft, but most cases fly under the radar. That's what makes a recent breach in Virginia different. The perpetrator posted a public ransom note demanding that the state of Virginia cough up $10 million for the return of stolen health records. Government officials aren't saying much about the matter.
May 9, 2009 5:30 AM PT
A hacker -- or a group of hackers -- is attempting to hold hostage some 8 million records purportedly acquired from the Virginia Prescription Monitoring Program, according to ransom note posted to the program's Web site on April 30.
Few statements have been released by Virginia state authorities, other than warnings that users of the program should monitor their financial records to make sure they are not victims of identity theft.
The site was down at press time.
The stolen patient records are stored in encrypted, password-protected files, according to the ransom note, which demands US$10 million for their return. However, government officials maintain the data was backed up, and the records have not been lost.
It is clear whether the data has been compromised, however.
The news has Virginia residents up in arms, but data breaches are nothing new in this era of poorly secured digital records.
Records theft is a multibillion-dollar industry run by organized criminal gangs with all the efficiency of legitimate business operations. What is new is the public announcement of the theft, Mandeep Khera, CMO of Cenzic, told the E-Commerce Times.
The goal is obviously publicity, but the reason is unclear.
"Usually, hackers prefer to keep their theft hidden so they can keep on milking the records for financial gain," said Khera.
Depending on how much is learned about this incident -- such as the motives behind it -- it is likely we will see more data taken hostage, Khera suggested. "It could easily happen again -- state Web sites, even federal ones, are still very vulnerable to exploit."
Companies will also be targeted -- if that's not happening already, he said, noting that "with companies, it is far more likely for something like this to happen under the radar."
In fact, attempted blackmail using stolen digital records "happens more often than we realize in the corporate world," Rob Douglas, editor of IdentityTheft.info, told the E-Commerce Times. "There is no doubt these types of hacks occur far more than we hear about."
That's because there is no federal law mandating breach notification, Douglas pointed out, noting there's a lack of state uniformity in that area as well.
"I have little doubt that breaches have occurred that should have been reported and the companies decided not to," he said.
Even state laws that require notification leave some wiggle room. Basically, they require that the custodian of records must make a subjective determination that the breach could lead to ID theft.
Any number of reasons could qualify as support for the conclusion that a breach wouldn't result in ID theft, he said.
Even governments are less than forthcoming about these matters, Douglas said. "It's only by reading between the lines here that we can conclude definitively that a breach occurred in Virginia. They haven't told us much else."