The personal information of 15 million Canadians may have been exposed after a company that performs diagnostic, naturopathic, and genetic tests had its computer systems hacked.
LifeLabs announced the breach on its website, saying it discovered the hack through proactive surveillance.
The company says it paid a ransom in order to secure the data, including test results from 85,000 Ontarians. It says that the majority of affected customers are from B.C. and Ontario, and the breach was discovered at the end of October.
The compromised test results were from 2016 and earlier and LifeLabs says there is no evidence that results were accessed in other provinces aside from Ontario, it was reported.
LifeLabs has been hit by hackers who held the personal information of 15 million Canadians for ransom. @mikelecouteur reports on what kind of data was compromised, and why the company decided to pay a ransom to hackers.
READ MORE: https://t.co/lnx6aXar7E pic.twitter.com/AZGCJzbgQb
— Global National (@GlobalNational) December 18, 2019
Companies find themselves in a difficult situation. It’s well known that it’s only a matter of time until any given company gets hacked. However, when breaches happen in the scale like this, it demands investigation to determine whether the company took reasonable precautions.
15 million Canadians affected is over 40% of all Canadians. If an organization can carries this amount of sensitive data, perhaps regulatory organizations should consider these organizations in a special category that requires additional oversight and outside assistance.
Organizations responsible for collecting and maintaining sensitive information, like healthcare records, need to have elevated security protocols to protect the information to reduce the risk of having it stolen by criminals. While there\’s no shortage of data protection tools like encryption, MFA, defense in depth, these should be strongly considered when protecting the sensitive and important data within an organization.
If the organization is unable to implement these controls due to budgetary issues, there should be a strong awareness training program for the employees to recognize the common attacks. Until healthcare organizations consider cyberattacks on the same level as fighting germs, breaches will continue to occur.
Consumers will want to monitor their accounts and be vigilant of spear phishing emails. Criminals in possession of the stolen data will create emails to trick them to reset their passwords through a malicious website and mention that their DNA information has been compromised.
Organizations reacting to a breach, or working hard to prevent one, would be served well by undertaking a thorough examination of their attack surface to discover the sorts of un- or under-protected Internet-facing entryways into the organization that typically go undetected by IT and security teams, yet are easily discovered by attackers.
These conduits into the organization are blind spots for IT and security teams because the assets may not be managed by, even known to, these teams. IT assets such as cloud-based servers, DevOps platforms, and partner networks that connect to an organization, but are outside their full control, are all examples. These \”shadow risks\” offer an open and tempting pathway to an attacker. That is why it\’s imperative for organizations to map their attack surface, expose that shadow risk, and eliminate any critical attack vectors before attackers leverage them.
While this breach may not sound huge compared to other mega-breaches in the news, it represents almost 40% of the entire population of Canada. There are several things that make this breach troubling – Canada has been a leader in creating strong privacy laws, yet the existence of these laws, disclosure requirements and potential fines, doesn’t seem to motivate many companies enough to properly protect their data. Also, while LifeLabs seems to have reported this breach promptly after discovering it, the data was stolen three years ago – highlighting the lack of real-time threat visibility for most organizations. Finally, they reportedly paid the hackers to “return” their data. This implies that their data was not adequately backed up, and paying ransoms – while understandable on an individual basis, rewards the hackers and perpetuates this endless stream of ransomware attacks. And it’s almost guaranteed that while the hackers may have returned the data, they also sold it on the Dark Web.
This kind of breach has become rather commonplace, unfortunately. Your information does not need to be leaked multiple times – one leak is enough for your personal information to be forever compromised. So it’s hard to understand the motive behind companies that pay a ransom to prevent online leakage, as there is absolutely no guarantee the perpetrators will abide by their word to not resell information on the dark web. By paying them, companies are only financing their future operations and sending a signal to other groups that this kind of activity pays off. Given there was no imminent risk of loss of life or major disruption of a public service, the payment was ill-advised.