Instantly delete email threats for Office 365 » Free Offer
Welcome Guest | Sign In
Deliver winning CX every time

Public Ransom Demand Distinguishes Va. Breach in a Data-at-Risk World

By Erika Morphy
May 9, 2009 5:30 AM PT

A hacker -- or a group of hackers -- is attempting to hold hostage some 8 million records purportedly acquired from the Virginia Prescription Monitoring Program, according to ransom note posted to the program's Web site on April 30.

Public Ransom Demand Distinguishes Va. Breach in a Data-at-Risk World

Few statements have been released by Virginia state authorities, other than warnings that users of the program should monitor their financial records to make sure they are not victims of identity theft.

The site was down at press time.

Pay Up

The stolen patient records are stored in encrypted, password-protected files, according to the ransom note, which demands US$10 million for their return. However, government officials maintain the data was backed up, and the records have not been lost.

It is clear whether the data has been compromised, however.

The news has Virginia residents up in arms, but data breaches are nothing new in this era of poorly secured digital records.

Records theft is a multibillion-dollar industry run by organized criminal gangs with all the efficiency of legitimate business operations. What is new is the public announcement of the theft, Mandeep Khera, CMO of Cenzic, told the E-Commerce Times.

The goal is obviously publicity, but the reason is unclear.

"Usually, hackers prefer to keep their theft hidden so they can keep on milking the records for financial gain," said Khera.

Depending on how much is learned about this incident -- such as the motives behind it -- it is likely we will see more data taken hostage, Khera suggested. "It could easily happen again -- state Web sites, even federal ones, are still very vulnerable to exploit."

Companies will also be targeted -- if that's not happening already, he said, noting that "with companies, it is far more likely for something like this to happen under the radar."

Past Incidents

In fact, attempted blackmail using stolen digital records "happens more often than we realize in the corporate world," Rob Douglas, editor of, told the E-Commerce Times. "There is no doubt these types of hacks occur far more than we hear about."

That's because there is no federal law mandating breach notification, Douglas pointed out, noting there's a lack of state uniformity in that area as well.

"I have little doubt that breaches have occurred that should have been reported and the companies decided not to," he said.

Even state laws that require notification leave some wiggle room. Basically, they require that the custodian of records must make a subjective determination that the breach could lead to ID theft.

Any number of reasons could qualify as support for the conclusion that a breach wouldn't result in ID theft, he said.

Even governments are less than forthcoming about these matters, Douglas said. "It's only by reading between the lines here that we can conclude definitively that a breach occurred in Virginia. They haven't told us much else."

Should businesses and organizations require staff to provide proof of Covid-19 vaccination before physically coming to work?
Yes -- At this point it makes good sense and will help stop the spread of the virus.
No -- It sets a bad precedent against personal privacy and civil liberties.
I'm Not Sure -- There are valid arguments for and against vaccine requirements.
Deliver winning CX every time