A ransomware group claimed to have 4.7 TB of data stolen from pharmacy services provider PharMerica, including the full names, addresses, dates of birth, medical information and Social Security numbers for more than 5.8 million people. PharMerica, a Fortune 1000 company that operates in all 50 US states, has not verified how the breach occurred, but the fraud ring that posted the stolen data says the company did not meet the deadline for their ransomware payment.
PharMerica discovered the data breach in March and just this month sent data breach notices to the nearly 6 million impacted consumers, detailing the nature of the sensitive information that was compromised. The company is now offering one year of identity protection fraud monitoring services from Experian, and while all impacted consumers should take up this offer they should also highly considering freezing their credit.
Given that medication and medical records were compromised, along with addresses and dates of birth, impacted consumers could be targeted with carefully crafted and bespoke phishing campaigns. The exposure of Social Security numbers has the potential to be the most financially damaging, as fraudsters can use this information to apply for loans and lines of credit.
What’s worse is that this sensitive personally identifiable information (PII) was all made available for free, and at the time of writing can still be downloaded. This PII was broken into multiple files all available for free download by a ransomware group calling themselves Money Message. They first published some of this stolen data on March 28th, taking credit for the ransomware attack. On April 9th, the fraud ring claimed that time ran out and PharMerica did not make payment, so all 5.8 million records were posted online.
While PharMerica has not confirmed the data breach was a result of a ransomware attack, hackers generally prefer monetizing stolen data rather than giving it away for free, especially Social Security numbers. The lowest price of SSNs on the dark web is around $4, but records that include full name and date of birth for individuals with strong credit, easily for $60 or more. Using these as the upper and lower bounds, the resale value of this stole data ranges from $23.2 to $348 million dollars.
Fortunately for fraudsters and identity thieves, and unfortunately for the impacted consumers, this data is still available to download for free.
For more information:
Comments