Why do people rob banks? According debonair American bank robber Willie Sutton, “because that's where the money is." Cybercriminals think the same way about the enterprise database, and they do not need a gun.
The Cyberextortionist Case of Express Scripts
How did Express Scripts find out about the breach? According to its web site, the extortionist sent Express Scripts a letter with a sample of 75 customer records back in October of 2008. The letter also threatened to publicly expose millions of the company’s members’ records if an extortion threat was not met.
It is unclear which data security policies were in place at Express Scripts. No security system is perfect. As a best practice, this story paints a picture of why organizations can't be proactive enough about assessing data vulnerabilities and monitoring for breaches.
By assessing vulnerabilities, enterprises can see where the security holes exist. You can bet that when a bank robber is looking for the easiest way to rob a bank, he or she looks for the weak spots. A data thief does the same thing. And by monitoring for threats, organizations can be alerted about any breaches as it happens.
As a side note, I wonder where Willie Sutton would focus his efforts today.