[BreachExchange] Lab Testing Firm Pays Off Hacker to Prevent Data Leak

Destry Winant destry at riskbasedsecurity.com
Thu Dec 19 09:23:41 EST 2019


A Canadian lab testing company has decided to pay off hackers to
prevent them from leaking customers' personal information, including
their lab test results.

On Tuesday, Toronto-based LifeLabs disclosed the breach, which
affected 15 million customers. Names, physical addresses, login
credentials, dates of birth, and health card numbers were looted in
the hack.

In addition, a small subset of 85,000 customers based in Ontario also
had their lab test results exposed to the hackers. These customers
underwent a medical test at LifeLabs in the 2016 or earlier.

Obviously, the hack is bad news for the company's affected users. But
LifeLabs also claims to have the breach under control. That's because
it paid the hackers to get the stolen data back. "We retrieved the
data by making a payment. We did this in collaboration with experts
who are experienced in cyber attacks and in negotiations with cyber
criminals," LifeLabs said in a FAQ about the breach.

Security firms hired by LifeLabs have been monitoring the internet and
the dark web for any signs of the stolen data. So far they've found
none, said LifeLabs CEO Charles Brown in a statement. "I want to
emphasize that at this time, our cyber-security firms have advised
that the risk to our customers in connection with this cyber attack is
low," he added.

Still, hackers are known to lie, and it's entirely possible the
culprits involved made a copy of the stolen data to keep for
themselves. So affected victims should be on guard. In the wrong
hands, the information that was stolen could be exploited to commit
identity theft or extortion, especially when it concerns any sensitive
lab test results.

So far, LifeLabs has refrained from going into details about the hack,
and whether ransomware was involved. But the company said it
identified the intrusion at the end of October. In response, the
company hired outside cybersecurity experts to investigate the full
scale of the breach.

How much LifeLabs paid the hackers was left unsaid. However, the
company has patched the hole the hackers used to break into its
systems. It's also introduced new safeguards to protect customer data.
"Any customer who is concerned about this incident can receive one
free year of protection that includes dark web monitoring and identity
theft insurance," LifeLabs' CEO added.

More information about the BreachExchange mailing list