LifeLabs Reveals Data Breach, Pays Ransom To Secure Personal Info Of 15M People

The personal information of 15 million Canadians may have been exposed after a company that performs diagnostic, naturopathic, and genetic tests had its computer systems hacked.

LifeLabs announced the breach on its website, saying it discovered the hack through proactive surveillance.

The company says it paid a ransom in order to secure the data, including test results from 85,000 Ontarians. It says that the majority of affected customers are from B.C. and Ontario, and the breach was discovered at the end of October.

The compromised test results were from 2016 and earlier and LifeLabs says there is no evidence that results were accessed in other provinces aside from Ontario, it was reported.

Experts Comments

December 18, 2019
Brian Higgins
Security Specialist
Comparitech.com
This appears to be a successful extortion attack upon LifeLabs given that they have paid their criminal attackers to have the stolen data returned. Only after thorough investigation by the relevant authorities will this be confirmed and until then there remains the possibility that other cyber criminals may be in possession of the data. The compensatory offer of free DarkWeb monitoring and password advice are a nice touch but by far the most critical threat to LifeLabs customers is further.....Read More
This appears to be a successful extortion attack upon LifeLabs given that they have paid their criminal attackers to have the stolen data returned. Only after thorough investigation by the relevant authorities will this be confirmed and until then there remains the possibility that other cyber criminals may be in possession of the data. The compensatory offer of free DarkWeb monitoring and password advice are a nice touch but by far the most critical threat to LifeLabs customers is further exploitation by criminal organisations. The entire consumer community will understandably be worried that their personal, medical data has been breached and it is this concern that makes them vulnerable to further criminal attack. Under no circumstances whatsoever should any current or previous customers respond to any unsolicited communication from LifeLabs. Criminals will call or email purporting to be offering legitimate help but their sole aim is to play on people’s fear to make them give up their personal information. This could be logon credentials, passwords, payment information or any other data they can use to commit more crimes. Any contact whatsoever should be referred back to LifeLabs for confirmation and forwarded or reported to Law Enforcement immediately. This is attack will have serious personal impact upon all of those involved. It would be tragic if the consequences were compounded by victims sharing even more personal information.  Read Less
December 18, 2019
Warren Poschman
Senior Solutions Architect
comforte AG
Healthcare institutions are seen as softer targets as not only are these systems just as rich with data as the traditional targets but security often lags due to the focus on, in the case of healthcare, patient care over IT. LifeLabs must surely have an enormous treasure of sensitive data, so besides improving their perimeter defense, they should explore a data-centric security approach. That way, they could pro-actively protect their data against breaches instead of playing constant catch up.....Read More
Healthcare institutions are seen as softer targets as not only are these systems just as rich with data as the traditional targets but security often lags due to the focus on, in the case of healthcare, patient care over IT. LifeLabs must surely have an enormous treasure of sensitive data, so besides improving their perimeter defense, they should explore a data-centric security approach. That way, they could pro-actively protect their data against breaches instead of playing constant catch up in terms of addressing the many different root causes that can lead to cyber incidents.  Read Less
December 18, 2019
Irfan Khimji
Country Manager
Tripwire
There have been many breaches that have impacted many Canadians this past year. This latest one hits a little closer to home as it directly impacts the medical records of our families and loved ones. While some of the information compromised cannot be changed, there is some due diligence that consumers can take. If one’s login credentials used to access the LifeLabs portal are used on other sites, it is a good idea to change those passwords as well as consider using a password manager moving .....Read More
There have been many breaches that have impacted many Canadians this past year. This latest one hits a little closer to home as it directly impacts the medical records of our families and loved ones. While some of the information compromised cannot be changed, there is some due diligence that consumers can take. If one’s login credentials used to access the LifeLabs portal are used on other sites, it is a good idea to change those passwords as well as consider using a password manager moving forward. Where possible, it is also a good idea to enable Multi-factor authentication.  Read Less
December 18, 2019
Javvad Malik
Security Awareness Advocate
KnowBe4
There are few details available at the moment, so it's difficult to say how the breach occurred. All that we know at the moment is that an unauthorised third party managed to gain access to a large dataset of customer information. It looks like the criminals were successfully able to extort money from LifeLabs, but paying criminals is no guarantee they won't re-sell the data, or use it to compromise users further. So customers should be wary of any emails they receive, particularly ones which .....Read More
There are few details available at the moment, so it's difficult to say how the breach occurred. All that we know at the moment is that an unauthorised third party managed to gain access to a large dataset of customer information. It looks like the criminals were successfully able to extort money from LifeLabs, but paying criminals is no guarantee they won't re-sell the data, or use it to compromise users further. So customers should be wary of any emails they receive, particularly ones which may claim to be from LifeLabs. Additionally, customers should take advantage of any identity theft protection that is offered and keep an eye on their credit records.  Read Less
December 19, 2019
Mike Jordan
VP of Research
The Shared Assessments Program
Companies find themselves in a difficult situation. It’s well known that it’s only a matter of time until any given company gets hacked. However, when breaches happen in the scale like this, it demands investigation to determine whether the company took reasonable precautions. 15 million Canadians affected is over 40% of all Canadians. If an organization can carries this amount of sensitive data, perhaps regulatory organizations should consider these organizations in a special category.....Read More
Companies find themselves in a difficult situation. It’s well known that it’s only a matter of time until any given company gets hacked. However, when breaches happen in the scale like this, it demands investigation to determine whether the company took reasonable precautions. 15 million Canadians affected is over 40% of all Canadians. If an organization can carries this amount of sensitive data, perhaps regulatory organizations should consider these organizations in a special category that requires additional oversight and outside assistance.  Read Less
December 19, 2019
James McQuiggan
Security Awareness Advocate
KnowBe4
Organizations responsible for collecting and maintaining sensitive information, like healthcare records, need to have elevated security protocols to protect the information to reduce the risk of having it stolen by criminals. While there's no shortage of data protection tools like encryption, MFA, defense in depth, these should be strongly considered when protecting the sensitive and important data within an organization. If the organization is unable to implement these controls due to.....Read More
Organizations responsible for collecting and maintaining sensitive information, like healthcare records, need to have elevated security protocols to protect the information to reduce the risk of having it stolen by criminals. While there's no shortage of data protection tools like encryption, MFA, defense in depth, these should be strongly considered when protecting the sensitive and important data within an organization. If the organization is unable to implement these controls due to budgetary issues, there should be a strong awareness training program for the employees to recognize the common attacks. Until healthcare organizations consider cyberattacks on the same level as fighting germs, breaches will continue to occur. Consumers will want to monitor their accounts and be vigilant of spear phishing emails. Criminals in possession of the stolen data will create emails to trick them to reset their passwords through a malicious website and mention that their DNA information has been compromised.  Read Less
December 19, 2019
Raphael Reich
Vice President
CyCognito
Organizations reacting to a breach, or working hard to prevent one, would be served well by undertaking a thorough examination of their attack surface to discover the sorts of un- or under-protected Internet-facing entryways into the organization that typically go undetected by IT and security teams, yet are easily discovered by attackers. These conduits into the organization are blind spots for IT and security teams because the assets may not be managed by, even known to, these teams. IT.....Read More
Organizations reacting to a breach, or working hard to prevent one, would be served well by undertaking a thorough examination of their attack surface to discover the sorts of un- or under-protected Internet-facing entryways into the organization that typically go undetected by IT and security teams, yet are easily discovered by attackers. These conduits into the organization are blind spots for IT and security teams because the assets may not be managed by, even known to, these teams. IT assets such as cloud-based servers, DevOps platforms, and partner networks that connect to an organization, but are outside their full control, are all examples. These "shadow risks" offer an open and tempting pathway to an attacker. That is why it's imperative for organizations to map their attack surface, expose that shadow risk, and eliminate any critical attack vectors before attackers leverage them.  Read Less
December 19, 2019
Willy Leichter
CMO
LogicHub
While this breach may not sound huge compared to other mega-breaches in the news, it represents almost 40% of the entire population of Canada. There are several things that make this breach troubling – Canada has been a leader in creating strong privacy laws, yet the existence of these laws, disclosure requirements and potential fines, doesn’t seem to motivate many companies enough to properly protect their data. Also, while LifeLabs seems to have reported this breach promptly after.....Read More
While this breach may not sound huge compared to other mega-breaches in the news, it represents almost 40% of the entire population of Canada. There are several things that make this breach troubling – Canada has been a leader in creating strong privacy laws, yet the existence of these laws, disclosure requirements and potential fines, doesn’t seem to motivate many companies enough to properly protect their data. Also, while LifeLabs seems to have reported this breach promptly after discovering it, the data was stolen three years ago – highlighting the lack of real-time threat visibility for most organizations. Finally, they reportedly paid the hackers to “return” their data. This implies that their data was not adequately backed up, and paying ransoms – while understandable on an individual basis, rewards the hackers and perpetuates this endless stream of ransomware attacks. And it’s almost guaranteed that while the hackers may have returned the data, they also sold it on the Dark Web.  Read Less
December 19, 2019
Mounir Hahad
Head
Juniper Threat Labs, Juniper Networks
This kind of breach has become rather commonplace, unfortunately. Your information does not need to be leaked multiple times – one leak is enough for your personal information to be forever compromised. So it’s hard to understand the motive behind companies that pay a ransom to prevent online leakage, as there is absolutely no guarantee the perpetrators will abide by their word to not resell information on the dark web. By paying them, companies are only financing their future operations.....Read More
This kind of breach has become rather commonplace, unfortunately. Your information does not need to be leaked multiple times – one leak is enough for your personal information to be forever compromised. So it’s hard to understand the motive behind companies that pay a ransom to prevent online leakage, as there is absolutely no guarantee the perpetrators will abide by their word to not resell information on the dark web. By paying them, companies are only financing their future operations and sending a signal to other groups that this kind of activity pays off. Given there was no imminent risk of loss of life or major disruption of a public service, the payment was ill-advised.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.