LifeLabs Data Breach Puts About 15 Million Customers' Logins and Passwords at Risk

LifeLabs is one of the biggest laboratory service providers in Canada – a country with a population of just under 40 million people. A successful attack against LifeLabs is bound to put the data of quite a few innocent patients at risk, and unfortunately, we have to report that this is exactly what has happened.

On December 17, Canadian news outlets started reporting that the laboratory service provider had suffered a data breach. In a statement, Charles Brown, LifeLabs' CEO, admitted that no fewer than 15 million people had been affected. The leaked personal details included names, email and physical addresses, dates of birth, health card numbers, usernames, and passwords. Most of the victims were residents of Ontario and British Columbia, and the hackers compromised pre-2016 lab test results of about 85 thousand of them. This is already shaping up to be quite a worrying incident, and the more details you read about it, the worse it gets.

LifeLabs paid a ransom to "retrieve" the compromised data

LifeLabs' statement doesn't mention the word "ransomware" anywhere, but evidence suggests that this could very well be what caused the whole calamity. The announcement clearly says that the laboratory network had to make "a payment" in order to "retrieve" the data. In other words, the cybercriminals blackmailed money out of LifeLabs in order to release the stolen information.

We still don't know whether the data was encrypted or whether the crooks downloaded a copy of it and threatened to leak it, which is what ransomware operators have been doing more and more frequently in recent months. If it was scrambled, this would suggest that LifeLabs had no backups, which, even as a thought, is plainly terrifying.

Then again, all this is speculation. Neither LifeLabs' announcement nor the joint press release issued by the Information and Privacy Commissioners of Ontario and British Columbia has any specific details on the actual attack. The reason for this is, apparently, the ongoing investigation.

The attack happened well over a month ago

The said investigation has been going on for quite a while now. The governments of the two Canadian provinces were first notified of the breach on November 1, and LifeLabs admitted that the actual attack took place in late-October.

Every cyberattack must be investigated thoroughly, but in this particular case, the people responsible for finding out what happened don't seem to be in any particular hurry. And in the meantime, the customers that have been affected are left with quite a lot of unanswered questions.

For example, according to the official statement, the cybersecurity experts that LifeLabs hired are pretty sure that the risk for the affected individuals is "low," but they do nothing to say what makes them think this is the case. The hackers accessed millions of passwords, but no one is willing to tell us if they can now use them. There is absolutely no information on the method LifeLabs used for storing login data, which means that people have no idea how vulnerable they could be to threats like credential stuffing, for example.

There is also no word on what's been done to protect people's accounts at the lab service provider, which means that affected individuals are left with few other options but to take up LifeLabs on its offer for one free year of identity theft protection and be on the lookout for anything suspicious.