A Canadian lab testing company has decided to pay off hackers to prevent them from leaking customers’ personal information, including their lab test results.
On Tuesday, Toronto-based LifeLabs disclosed the breach, which affected 15 million customers. Names, physical addresses, login credentials, dates of birth, and health card numbers were looted in the hack.
In addition, a small subset of 85,000 customers based in Ontario also had their lab test results exposed to the hackers. These customers underwent a medical test at LifeLabs in the 2016 or earlier.
Obviously, the hack is bad news for the company’s affected users. But LifeLabs also claims to have the breach under control. That’s because it paid the hackers to get the stolen data back. “We retrieved the data by making a payment. We did this in collaboration with experts who are experienced in cyber attacks and in negotiations with cyber criminals,” LifeLabs said in a FAQ about the breach.
Security firms hired by LifeLabs have been monitoring the internet and the dark web for any signs of the stolen data. So far they’ve found none, said LifeLabs CEO Charles Brown in a statement. “I want to emphasize that at this time, our cyber-security firms have advised that the risk to our customers in connection with this cyber attack is low,” he added.
Still, hackers are known to lie, and it’s entirely possible the culprits involved made a copy of the stolen data to keep for themselves. So affected victims should be on guard. In the wrong hands, the information that was stolen could be exploited to commit identity theft or extortion, especially when it concerns any sensitive lab test results.
So far, LifeLabs has refrained from going into details about the hack, and whether ransomware was involved. But the company said it identified the intrusion at the end of October. In response, the company hired outside cybersecurity experts to investigate the full scale of the breach.
How much LifeLabs paid the hackers was left unsaid. However, the company has patched the hole the hackers used to break into its systems. It’s also introduced new safeguards to protect customer data. “Any customer who is concerned about this incident can receive one free year of protection that includes dark web monitoring and identity theft insurance,” LifeLabs’ CEO added.