[BreachExchange] Lifelabs Data Breach, the Largest Ever in Canada, May Cost the Company Over $1 Billion in Class-Action Lawsuit

[Destry Winant]

https://www.cpomagazine.com/cyber-security/lifelabs-data-breach-the-largest-ever-in-canada-may-cost-the-company-over-1-billion-in-class-action-lawsuit/

An October hack of medical testing company LifeLabs exposed the
sensitive personal information of an estimated 15 million Canadians.
The LifeLabs data breach was the largest yet in Canada in terms of
personal record count, and the company may end up paying dearly for
its security lapse. A civil lawsuit that was just introduced in
Toronto is seeking a total of $1.14 billion dollars in damages.

The LifeLabs data breach

Though the company was hacked in October, the public did not become
aware of the LifeLabs data breach until December 17 when the company
posted an open letter on its website.

The company revealed that it was breached by some sort of cyber attack
that targeted customer information. LifeLabs is the largest provider
of medical lab diagnostic services in Canada, and almost half of
Canada’s total population has had some sort of testing done by the
company as part of their normal health care.

Mike Jordan, VP of Research for The Shared Assessments Program,
suggested that the reach of this breach may be an indication that new
legislation is needed in the country for the protection of patient
data:

“Companies find themselves in a difficult situation. It’s well known
that it’s only a matter of time until any given company gets hacked.
However, when breaches happen in the scale like this, it demands
investigation to determine whether the company took reasonable
precautions.

“15 million Canadians affected is over 40% of all Canadians. If an
organization can carry this amount of sensitive data, perhaps
regulatory organizations should consider these organizations in a
special category that requires additional oversight and outside
assistance.”

Before you continue reading, how about a follow on LinkedIn?

The LifeLabs data breach included lab test results and national health
card numbers along with personally identifiable information including
names, dates of birth, home addresses and email addresses. Login IDs
and passwords appear to have also been compromised in the breach.

The lab test results apparently come from records collected in 2016
and earlier, and the majority of these (an estimated 85,000 customers)
come from Ontario and British Columbia. The company stated that there
were “relatively few” compromised tests from other territories.

In the public statement, LifeLabs indicated that they made some sort
of a payment to retrieve the stolen data. The company did not
elaborate on the nature of the attack, which leaves Canadian customers
uncertain about the current level of risk to their personal
information. Some news outlets reported on it as if it was a
ransomware attack, but there is no clear indication. This might be a
similar situation to the 2017 incident in which Uber decided to pay a
ransom to retrieve stolen data and have hackers sign non-disclosure
agreements. If the data was exfiltrated, there is no guarantee that
paying a ransom to retrieve it took it out of unauthorized hands;
there is really no way for LifeLabs to be entirely sure that copies
were not made.

Mounir Hahad, head of Juniper Threat Labs at Juniper Networks,
expanded on this idea:

“This kind of breach has become rather commonplace, unfortunately.
Your information does not need to be leaked multiple times – one leak
is enough for your personal information to be forever compromised. So
it’s hard to understand the motive behind companies that pay a ransom
to prevent online leakage, as there is absolutely no guarantee the
perpetrators will abide by their word to not resell information on the
dark web. By paying them, companies are only financing their future
operations and sending a signal to other groups that this kind of
activity pays off. Given there was no imminent risk of loss of life or
major disruption of a public service, the payment was ill-advised.”

LifeLabs merely characterized the risk to the public as “low” and
indicated that they had involved law enforcement and third-party cyber
security firms. The company also claims that the issue that led to the
breach has been fixed.

The class action lawsuit

There are currently three proposed class action lawsuits in response
to the LifeLabs data breach. The largest of these is seeking $1.13
billion in damages plus an added $10 million in punitive penalties. If
the courts opt to allow such a lawsuit, they will have to evaluate
each suit on its individual merits before deciding to certify any.

The suit described here asserts that the LifeLabs data breach was
caused by a failure of adequate cyber security safety measures and
controls, and that the company violated its own privacy policy in
allowing it to happen.

The lawsuit filing hints at some additional details about the breach.
It alleges that the data in question was stored on unsecured servers,
and that it was not encrypted. It also alleges that the network
security personnel responsible for securing the data were not properly
trained and that there was not an adequate amount of staff.

Additional trouble for LifeLabs?

The parties impacted by the LifeLabs data breach have been offered a
year of free TransUnion credit monitoring and identity theft
protection service by the company, but a recent report from CTV News
indicates that a new problem may be brewing.

Customers say that the call number set up for them to arrange credit
monitoring goes to a call center in India, where they are asked for
their Social Insurance Number to confirm their identity. This number
is used for various forms of national identification and was not
necessarily included in the breached data.

Some Canadian customers are hesitant to trust TransUnion as the
company was recently involved in its own data breach. A cyber break-in
in October led to the theft of the personal information of 37,000
Canadian customers.

Security issues at Canadian hospitals

The LifeLabs data breach comes in the midst of general concern about
the Canadian health care system’s ability to protect patient data.
2019 saw the Ryuk malware devastate three hospitals in Ontario, the
theft of an unencrypted hard drive full of patient data and
unauthorized employee access of thousands of records in Alberta, and
the phishing of the Nova Scotia Health Authority resulting in 3,000
compromised records.

Canadians have valid reason to be concerned about the ability of their
country’s medical facilities to properly secure themselves, given that
cybersecurity budgets are often thin. However, there are steps that
organizations can (and must) take regardless of budget.

As James McQuiggan, Security Awareness Advocate for KnowBe4, pointed out:

“Organizations responsible for collecting and maintaining sensitive
information, like healthcare records, need to have elevated security
protocols to protect the information to reduce the risk of having it
stolen by criminals. While there’s no shortage of data protection
tools like encryption, MFA, defense in depth, these should be strongly
considered when protecting the sensitive and important data within an
organization.

“If the organization is unable to implement these controls due to
budgetary issues, there should be a strong awareness training program
for the employees to recognize the common attacks. Until healthcare
organizations consider cyberattacks on the same level as fighting
germs, breaches will continue to occur.

“Consumers will want to monitor their accounts and be vigilant of
spear phishing emails. Criminals in possession of the stolen data will
create emails to trick them to reset their passwords through a
malicious website and mention that their DNA information has been
compromised.”

And Raphael Reich, VP of Marketing for CyCognito, observed some
relevant areas of focus:

“Organizations reacting to a breach, or working hard to prevent one,
would be served well by undertaking a thorough examination of their
attack surface to discover the sorts of un- or under-protected
Internet-facing entryways into the organization that typically go
undetected by IT and security teams, yet are easily discovered by
attackers.

Public was not made aware of LifeLabs #databreach in October until the
company posted an open letter on its website in December.
#respectdataCLICK TO TWEET

“These conduits into the organization are blind spots for IT and
security teams because the assets may not be managed by, even known
to, these teams. IT assets such as cloud-based servers, DevOps
platforms, and partner networks that connect to an organization, but
are outside their full control, are all examples. These “shadow risks”
offer an open and tempting pathway to an attacker. That is why it’s
imperative for organizations to map their attack surface, expose that
shadow risk, and eliminate any critical attack vectors before
attackers leverage them.”