A data breach at LifeLabs, potentially affecting up to 15 million Canadians, was revealed Tuesday.
The company, which performs medical lab tests, apologized for the security breach in a statement, adding that it was first discovered several weeks ago.
The CEO of the company, Charles Brown, called the incident a wake-up call for the industry.
“Whether you’re a private company, a government, a hospital, we’re all seeing these attacks rise and there’s more and more of them and we’ve collectively got to do more to make sure all our customers feel secure,” he said in a letter to customers.
Here’s what you need to know.
What information was compromised?
Information that was compromised included health card numbers, names, email addresses, login, passwords and dates of birth. However, LifeLabs said it wasn’t sure how many of the files were accessed during the breach.
It added the hackers did obtain test results from as many as 85,000 Ontario residents, dated 2016 and earlier.
The company said it hired cybersecurity experts to secure the system and determine the scope of the attack, and paid an undisclosed amount of money as ransom to secure the information.
How serious is the hack?
Ann Cavoukian, the former privacy commissioner for Ontario and executive director and founder of Privacy by Design, told Global News Radio that the “most sensitive of information” was compromised in the hack.
“You would think that a company that is entrusted with so much of that information would have the strongest security measures imaginable,” she said. “Clearly, they didn’t.”
Cavoukian said an investigation into the hack, currently being conducted by the Ontario and B.C. privacy commissioners, will evaluate how something like this could have happened — and why the company took weeks to reveal it.
In his letter, Brown said system issues related to the breach have been fixed and Tuesday’s announcement is “in the interest of transparency.”
What can you do?
Cavoukian added that there’s not much those affected by the data breach can really do at this point. For starters, she said those who are unsure whether their data was affected should contact LifeLabs. They can also take steps such as changing their passwords.
While the company is still determining exactly how many people were affected, it said the majority are from Ontario and B.C. It also said it would contact Ontario customers whose test results were accessed.
The company has set up a phone line specifically to handle related inquiries.
LifeLabs also said Tuesday that customers concerned about the safety of their data will be able to receive “one free year of protection that includes dark web monitoring and identity theft insurance.”
Why was a ransom paid?
Brown said in the release that the decision to pay a ransom was not easy, but he felt the responsibility to do everything possible to retrieve data.
“We wanted to get the data back,” he said. “We thought it was the smart thing to do because it was just in the best interests of our customers.”
Paying ransom is a fairly common business decision that can have some negative consequences, according to David Masson, director of enterprise security for cybersecurity firm Darktrace.
“If you pay, you’re telling the threat actors that you will pay. You’re quite likely to get hacked again or they’ll tell other threat actors that these people pay. So you could put yourself in a whole world of pain,” he said.
It also implies that the company has no other option to get the data back and doesn’t guarantee that all will be returned. Masson also believes the data never left the LifeLabs system but was encrypted.
— With files from The Canadian Press