Back in February I blogged about an incident at Express Scripts. The company was blackmailed by cyber extortionists to pay up or have the organization's sensitive customer info published.

A raised question was what happens in such cases where state regulations actually require companies that suffered from data breaches to individually report this loss to the affected persons.

Last week we received the answer - Express Scripts is now notifying 700,000 customers that their data may have been compromised. The company further states that last month the extortionist provided more accessed data records than those shown to have in the initial blackmailing attempt. Another interesting point is that almost a year has passed but the criminal has yet to be caught.

It seems that Express Scripts cannot specify an accurate number of the records which were illegally accessed, which results in that the company needs to notify all. I admit to not have seen the forensics analysis of this breach but we could still learn from this to mitigate such breach complications. The first and foremost is to place a handy database monitoring tool. Such a tool could keep track of who accessed the data (although this cannot guarantee catching the extortionist, it could provide many helpful details to close up on her), how (was there a system vulnerability? Was this an inside job?) and of course, how many records were accessed avoiding the need to notify those who were in fact affected by the breach.