I was recently reminded of a story which occurred a couple of months ago - Express Scripts, a U.S. prescription drug management company, was threatened by cyber-criminals to expose online patient records. To prove they have the data, they sent along with their blackmail letter the details (including names, birth dates and Social Security Numbers) of 75 patients.

This incident in turn reminded me of another, this one taking place in Germany. The cybercriminals in this case attempted to sell 21 million German bank accounts in the black market. Their proof of data was a CD containing the records of 1.2 million accounts. These stories present an additional method of cyber-criminals to monetize on sensitive data - and that is to resort to extortion. Criminals take advantage of the fact that many companies would much rather pay up than to face the embarrassment and aftermath of dealing with a security breach.

I wonder though how effective this method is for criminals extorting US companies where the state regulations require organizations that suffer a security breach to be reported. Holding data at ransom is not a new idea. Last year we've seen malware which encrypts the infected user's files. The user had to contact the criminal and pay up to receive the respective decryption key. A Trojan caused users to be locked out of their system altogether. By parting with $35, the users can regain access to their systems. Talking about data hostages, last month an IT contractor was indicted for planting a logic bomb on the same day he was let go. The malicious script was set to delete the data from 4,000 servers on the last day of January (luckily, the bomb was detected ahead of time and detonated by the IT squad).

I wonder where he got that old idea from. Perhaps from the 1992 film "Single White Female"? In the movie, Bridget Fonda's character planted a logic bomb to delete all data from a firm were payment not delivered within 3 months. Seems logic bombs are also one of Hollywood's favorites!