Dec 032009
 

Brendon Tavelli of Proskauer Rose writes:

On November 23, 2009, a federal court in Missouri bucked the recent trend in identity exposure lawsuits and refused to recognize Article III standing in a class action lawsuit that alleged simply an increased risk of identity theft resulting from a data breach. In Amburgy v. Express Scripts, Inc., Magistrate Judge Frederick R. Buckles of the U.S. District Court for the Eastern District of Missouri held that “plaintiff’s asserted claim of ‘increased-risk-of-harm’ fails to meet the constitutional requirement that a plaintiff demonstrate harm that is ‘actual or imminent, not conjectural or hypothetical.’ Plaintiff has therefore failed to carry his burden of demonstrating that he has standing to bring this suit.” Consequently, the Court dismissed the plaintiff’s action – which included claims for negligence, breach of contract, violations of state data breach notification laws and violations of Missouri’s Merchandising Practices Act (“MPA”) – in its entirety for lack of subject matter jurisdiction pursuant to Rule 12(b)(1) of the Federal Rules of Civil Procedure. In doing so, the court breathed new life into the lack of standing argument that had begun to fall out of favor in identity exposure cases.

Read more on Proskauer’s Privacy Law Blog.

Oct 022009
 

Almost a year after it was contacted by an extortionist, pharmacy benefits management company Express Scripts first learned that the extortionist was in possession of at least 700,000 more members’ personal information than they originally knew about. The company has now notified those individuals, but how many other members may also be affected? It’s time for the company to notify everyone.

Earlier this week, while reporting new details on the Express Scripts breach, I commented on a statement made by Express Scripts on their web site that the company was “unaware at this time of any actual misuse of members’ information, but we understand the concern that this situation has caused our members.” I noted that the statement struck me as somewhat preposterous because the company was already aware of actual misuse of the information — the extortion demand itself was actual misuse of the information.

Yesterday, a site reader alerted me to the fact that Express Scripts subsequently changed that portion of their support web site to now read:

At this time, Express Scripts has not confirmed any fraudulent misuse of member information as a result of this incident.

While I appreciate that they are no longer suggesting that there’s been no misuse, their new wording is still somewhat problematic. What does “has not confirmed any fraudulent misuse” mean? Does it mean that they have now actually received some reports of fraud or ID theft that have been attributed to the breach but that they have not confirmed as being due to the breach, or does it mean something else?

Express Scripts has not replied to an inquiry I sent them yesterday asking them to clarify what this new wording actually means. If they do, I will update this entry, but in the meantime, nagging questions remain, such as:

1. Why has Express Scripts been unable to determine how many — and whose — records were acquired by the extortionist? After diligent investigation on their part, they never discovered that 700,000 members’ records had been accessed; and

2. How many other members’ records does the extortionist also possess?

Express Scripts is certainly not the first entity to be unable to determine the full scope of a breach, but in this case, where we already have evidence of some malicious purpose, identifying all of those affected takes on added import.

We have often seen the phrase “in an abundance of caution” used in notification letters. In this case, an abundance of caution would mean notifying everyone whose data were potentially acquired. Express Scripts has not taken that approach, however. As a result, 700,000 people whose data were acquired almost a year ago are first learning that they are at risk, and we do not know how many others may also be at risk of ID theft.

In its summary of this incident, the Wisconsin Office of Privacy Protection described who’s affected as “Millions of member records to include a number of Wisconsin residents.” Based on Express Scripts’ notifications to states, that description appears to be erroneous. But then again, maybe it’s just prescient.

Given that the company is dealing with a situation in which they already have evidence that the individual is willing to misuse member data, and given the market for Social Security numbers with dates of birth and other personal information, this blogger believes that a “when in doubt, notify” approach is warranted. While I give credit to Express Scripts for not paying the extortion demands, they must certainly realize that if the extortionist cannot get money from them, it is quite possible that the data will be put up for sale. Express Scripts’ members need to know that so that they can be vigilant about their credit reports, but that will not happen if the company does not notify them that they may be at risk. Saying that they have notified those whose data they know to have been acquired strikes me as not prudent enough given their inability to determine the scope of this breach. I urge them to notify everyone whose records may have been in the database that they suspect was accessed. If ever an “abundance of caution” was in order, this is such a situation.

Sep 302009
 

As previously reported here Express Scripts recently updated their breach report on the incident from 2008 involving an extortion demand.  Now Dina Wisenberg Brin of Dow Jones Newswires provides some additional details, including the statistic that Express Scripts has now sent out approximately 700,000 individual notification letters, total.  The company has not revealed how many of the 700,000 notifications are due to its recently becoming aware that even more data had been acquired than they had realized.

Express Scripts spokeswoman Maria Palumbo told Dow Jones Newswires that the person who illegally obtained member records recently sent a data file to a law firm, which forwarded it to the FBI. Palumbo wouldn’t identify the law firm, other than to say it was one that had filed a lawsuit against the company.

As it has in the past, Express Scripts made a statement that it is “unaware at this time of any actual misuse of members’ information, but we understand the concern that this situation has caused our members.”

That statement strikes me as somewhat preposterous because the company is already aware of actual misuse of the information — the extortion demand itself represents actual misuse of the information, in my opinion.

This report was crossposted from PHIprivacy.net

Update: Robert McMillan of IDG News Service also reports on the latest developments in this breach, and notes that:

In May, Washington, D.C., law firm Finkelstein Thompson brought a class-action suit against Express Scripts on behalf of members whose data was stolen. Attorneys at the firm did not return messages seeking comment for this story.

The report also includes statements I made to the reporter about this breach.

Update 2: Dina Wisenberg Brin has updated her story to include a few more details. Express Scripts indicates that most of the 700,000 notifications are due to the recently revealed data as only a few hundred members were notified last year. Additionally, the company notes that the data appear to be consistent with how their data looked in 2006.

Image credit:  from the film, “Law Abiding Citizen”

Sep 162009
 

When Express Scripts reported receiving an extortion attempt late last year, its potential impact was immediately evident as the company handles prescription benefits for tens of millions of people.

Express scripts has now updated its breach report. In a letter to the New Hampshire Attorney General dated September 14, their Vice-President and Deputy General Counsel, Janice Forsyth, writes:

[…]

The FBI recently received additional information and as a result, we learned of additional personal information which was accessed without authorization, including names, social security numbers, and dates of birth. Although details regarding the situation are limited and we remain unaware of any actual misuse of the information, we are sending all affected members approximately 1771 individuals located in New Hampshire, notification letters and are complying with any relevant state breach notification laws.

We are fully cooperating with law enforcement authorities and their ongoing criminal investigation. We also are continuing to conduct an investigation with the help of outside experts in data security and computer forensics.

The letter to affected individuals, attached to the report, indicates that prescription information may also have been accessed.

This report was crossposted from PHIprivacy.net

Update: Express Scripts also updated their support web site and added this:

In late August 2009, Express Scripts was informed by the FBI that the perpetrator of the crime had recently taken action to prove that he possesses more member records from the same period as those identified in the 2008 extortion attempt. This is not a new data incident. Express Scripts is in the process of notifying these members.

Apr 102009
 

It’s been a while since I posted a list of the largest breaches or data loss incidents. My list often does not totally match others’ lists because of different criteria and sources that I use, but we’re often pretty close in our lists. This time, however, my list will likely appear significantly different, due, in part, to the fact that I recently uncovered some old breaches and incidents that pre-date most chronologies. Indeed, it was only because of the Open Security Foundation’s fun “find the oldest incident” contest that I discovered some of these older data loss incidents.

So here’s a list of what may be the 10 largest data loss incidents involving single organizations:

Rank # of Records or People Entity Date of Incident or Report Type of Incident
1 94,000,0001 TJX, Inc. 2007-01-17 Hack
2 90,000,0002 TRW 1984-06-22 Hack
3 40,000,000 Card Systems 2005-06-17 Hack
4 30,000,000 Deutsche Telekom 2008-11-01 Exposure
5 26,500,000 U.S. Department of Veterans Affairs 2006-05-22 Stolen Laptop
6 25,000,000 HM Revenue and Customs / TNT 2007-10-18 Lost Tapes
7 18,000,0003 Auction.co.kr 2008-02-17 Hack
8 18,000,0004 National Personnel Records Center 1973-07-12 Fire
9 16,000,000 Revenue Canada 1986-11-23 Theft
10 12,500,000 Bank of New York Mellon / Archive Systems Inc. 2008-03-26 Lost Tape

Notes:

1 94,000,000 or 46,500,000 depending on source.

2 TRW’s database held credit information on 90,000,000 and was being accessed for over a year before the company became aware of the problem.  The number of records actually accessed is unknown.

3Auction.co.kr said their number is 10.8 million and not 18 million as reported by other sources. If they are right, they drop off the top 10 list and the GS Caltex incident that affected 11.1 million moves to the #10 slot.

4This incident, involving paper records, affected many veterans who were unable to establish their right to receive benefits. Fifteen years later, duplicates of some of the records were located elsewhere and some veterans were first able to get benefits.

Notice what incidents the list doesn’t include. It doesn’t include:

  • The Express Scripts incident, where the breach may have affected approximately 50,000,000 individuals, as they have not revealed how many records were actually accessed or acquired as part of the extortion attempt.
  • A Taiwanese hacking ring that affected over 50,000,000 people by hacks involving a number of organizations or databases.
  • The AOL incident where names and email addresses of 30,000,000 customers were stolen and sold for spamming purposes, and
  • The Heartland Payment Systems breach, for which we have no numbers at this time, but which may turn out to be a “top 10” breach.

Have I missed any really large data loss incidents or breaches involving personal information that should have made a top 10 list, or did I include something that you think shouldn’t be included? If so, let me know.

And if you haven’t risen to the challenge of the Open Security Foundation to help them fill in their database by locating earlier breaches, I’d really encourage you all to do so. Even if we don’t win any of their sponsors’ great prizes for our submissions, we all benefit by having a more complete database of incidents. I’ve submitted about a dozen incidents for them to consider adding to their database, and I hope you’ll pitch in, too!

[Chart corrected 4-12-09 as what appeared be two Deutsche Telekom incidents may all be part of the one 2006 vulnerability. Then again, it may be a second breach involving 17,000,000. If any reader can sort that out, let me know.].