Canadian laboratory testing company LifeLabs disclosed on Tuesday that it had suffered a cyberattack that may have compromised the personal information of some 15 million customers, primarily in the provinces of British Columbia and Ontario. Names, physical addresses, login credentials, dates of birth, and health card numbers were looted in the hack.
When it came to lab results, LifeLabs said the hack affected 85,000 of its Ontario customers from 2016 or earlier. The data was from 2016 and earlier, and the vast majority of affected customers are from B.C. and Ontario.
The Toronto-based company declined to say how much money was paid to secure the data.
The company also assured the public that its consultants have seen no evidence that data from LifeLabs has been trafficked by criminal groups that are known to buy and sell such data over the internet.
"What assurances did they receive from the attackers that the stolen data was actually deleted?"
Brown said the delay in informing its customers was to make sure that it had retrieved the data, and had secured and strengthened its security so it would not be vulnerable to subsequent attacks.
"We did this in collaboration with experts familiar with cyber-attacks and negotiations with cyber criminals", Brown's statement says.
Adrian Dix says the provincial government was notified October 28 that hackers had accessed private test results from 2016 and earlier, belonging to customers in B.C. and Ontario.
The company also stated that it had already notified law enforcement, privacy commissioners, and government partners to investigate the breach incident.
BleepingComputer has reached out to LifeLabs for more information, but have not heard back as of yet.
"I am deeply concerned about this matter", B.C. commissioner Michael McEvoy said. That's why she chastised Lifelabs for not having strong enough security to prevent the data from being stolen.
"Our independent offices are committed to thoroughly investigating this breach", McEvoy said.
iSecurity's experience has been that the health care industry accounts for about the 48 per cent of the cases it has handled - although it wouldn't reveal the identity of any of its 300 to 400 clients in Ontario. I know it will be very distressing to those who may have been affected.
However, while the commissioners said they will report publicly on their findings and recommendations once the work is complete, they will not discuss details of their proceedings while it is underway.
Brown wrote that the attack occurred despite the laboratory's efforts to increase their cybersecurity in recent years.