INSTA-LEADS: Our Full-Service B2B Marketing Program Delivers Sales-Ready Leads Click to Learn More!
Welcome Guest | Sign In

Public Ransom Demand Distinguishes Va. Breach in a Data-at-Risk World

By Erika Morphy
May 9, 2009 5:30 AM PT

A hacker -- or a group of hackers -- is attempting to hold hostage some 8 million records purportedly acquired from the Virginia Prescription Monitoring Program, according to ransom note posted to the program's Web site on April 30.

Public Ransom Demand Distinguishes Va. Breach in a Data-at-Risk World

Few statements have been released by Virginia state authorities, other than warnings that users of the program should monitor their financial records to make sure they are not victims of identity theft.

The site was down at press time.

Pay Up

The stolen patient records are stored in encrypted, password-protected files, according to the ransom note, which demands US$10 million for their return. However, government officials maintain the data was backed up, and the records have not been lost.

It is clear whether the data has been compromised, however.

The news has Virginia residents up in arms, but data breaches are nothing new in this era of poorly secured digital records.

Records theft is a multibillion-dollar industry run by organized criminal gangs with all the efficiency of legitimate business operations. What is new is the public announcement of the theft, Mandeep Khera, CMO of Cenzic, told the E-Commerce Times.

The goal is obviously publicity, but the reason is unclear.

"Usually, hackers prefer to keep their theft hidden so they can keep on milking the records for financial gain," said Khera.

Depending on how much is learned about this incident -- such as the motives behind it -- it is likely we will see more data taken hostage, Khera suggested. "It could easily happen again -- state Web sites, even federal ones, are still very vulnerable to exploit."

Companies will also be targeted -- if that's not happening already, he said, noting that "with companies, it is far more likely for something like this to happen under the radar."

Past Incidents

In fact, attempted blackmail using stolen digital records "happens more often than we realize in the corporate world," Rob Douglas, editor of, told the E-Commerce Times. "There is no doubt these types of hacks occur far more than we hear about."

That's because there is no federal law mandating breach notification, Douglas pointed out, noting there's a lack of state uniformity in that area as well.

"I have little doubt that breaches have occurred that should have been reported and the companies decided not to," he said.

Even state laws that require notification leave some wiggle room. Basically, they require that the custodian of records must make a subjective determination that the breach could lead to ID theft.

Any number of reasons could qualify as support for the conclusion that a breach wouldn't result in ID theft, he said.

Even governments are less than forthcoming about these matters, Douglas said. "It's only by reading between the lines here that we can conclude definitively that a breach occurred in Virginia. They haven't told us much else."

Facebook Twitter LinkedIn Google+ RSS
Should social media sites be held accountable for terrorists' communications?
Yes -- They are providing a platform to facilitate murder and mayhem.
Yes -- Everything must be done to protect society from danger.
Maybe -- I'm not sure they have the technological capability to stop them.
Maybe -- I'm not convinced terrorists are using them for serious plotting.
No -- Authorities should monitor social networks to gather intelligence.
No -- Social networks are no different than phone carriers or mail services.