Secure your small business:
Apps → Data →

Canadian Medical Company LifeLabs Gets Hacked—and There Are Lessons in It for Everyone

15 million Canadian patients—some 40 percent of Canada's population—have been affected by a breach at LifeLabs. The incident tells us a lot about the state of MFA today.

Earlier this month, LifeLabs—a medical testing laboratory used by millions of patients and their physicians—announced that it had become the target of a serious cyberattack.

In the attack, which was discovered in late October, private records for some 15 million patients—including health data, lab results, biographical information, and login information—were compromised and then held for ransom by attackers.

Medical testing company LifeLabs was hit in October by a breach affecting 15 million users—approximately 40 percent of Canada’s population—who didn’t find out about the incident until mid-December. © Dmytro Zinkevych / Dreamstime

LifeLabs paid the ransom to regain access to the data, but the incident raises good reasons for serious concern:

  • There is no reason to assume that the attackers have not preserved copies of the breached data

  • There is no reason to assume that the attackers do not plan to sell the data on the dark web, or that they have not already done so

  • Details of the breach did not become public until weeks after the attack occurred

The mechanism of behind the attack hasn’t yet been revealed, but the Office of the Information and Privacy Commissioner (OIPC) for British Columbia says that “cyber criminals penetrated the company’s system, extracting data and demanding a ransom,”  all of which suggest a data breach—not merely an encrypt-in-place malware attack.

What does an incident like this tell us? Here are three conclusions that can already be drawn, even before authorities have released more detail about the incident.

Out-of-band Multi-Factor Authentication (MFA) Needs to Be Everywhere

Following the initial attack, it was more than a month before LifeLabs and authorities to begin to notify affected patients and consumers—despite the fact that affected data included, to reiterate:

  • Login information

  • Various biographical data including birth dates

Those two items are more than enough to compromise many other accounts not protected by MFA, since consumers routinely reuse login information, despite warnings, and since biographical data is routinely used to gatekeep password reset workflows.

The LifeLabs breach involved not just credentials and medical information but biographical details as well—enough to enable intrusion into many other systems. © Plurilock

It appears to be sheer dumb luck that authorities say they haven’t seen compromised credentials from the LifeLabs breach in active circulation among criminals—but with MFA use still lagging in the real world, the potential for the effects to reach into consumers’ banking, e-commerce, and other life activities is great.

From the corporate perspective, even if you’re not LifeLabs, if you do business online with consumers you should be using strong, out-of-band MFA—because someone somewhere is inevitably going to be a LifeLabs again. And again. And again.

We’ve seen enough by now to know that each time one of these breaches happens, crooks tend to come away with enough data about countless individuals—even reusable biometric data in some cases  these days—to get into thousands, hundreds of thousands, or even millions of consumer accounts on other critical services and systems.

Unless, that is, those accounts are protected by strong MFA.

Authorities Need to Move More Quickly to Notify, Even If It’s Painful

In the meantime, reporting gaps of weeks or even months between a breach and notification that a breach has occurred need to be eliminated.

We get it—companies are loathe to move quickly to start the catastrophic press coverage that a breach is sure to create, and authorities want to be cautious so as to deliver accurate information to the public.

The fact is, however, that MFA isn’t deployed everywhere just yet—and that each day that passes between a breach and the public’s awareness of it is another day on which consumers:

  • Don’t know to change their passwords

  • Don’t know to finally enable MFA where they’ve had the choice but put it off

  • Don’t know to check their accounts and records for illicit activity

In today’s world, we think that’s ultimately unacceptable. With millions of lives and fortunes at stake in each of these incidents, true “caution” isn’t in delaying an announcement until concrete facts are in—it’s in telling every potentially affected consumer that they’re at risk as early as is humanly possible.

Affected consumers have every right to wonder why it takes so long for them to be notified of risks to their accounts. © Katie Nesling / Dreamstime

Only that way can the fallout from these breaches be limited to the greatest possible extent.

MFA Needs to Become More Palatable

The fact that in 2019 we’re still having part-worried, part-wistful discussions about how everyone needs to deploy MFA shows that work needs to happen in the MFA world as well.

Consumers are angry—and afraid—as the march of large data breaches across international news headlines continues—yet they and the organizations that serve them continue to drag their feet when it comes to MFA deployment.

This is no accident. The average consumer already struggles to remember usernames and rule-encumbered passwords. Adding yet another step to login flows is something that consumers—and by extension, the companies that serve them—dread.

The de-facto standard among companies that support MFA for consumer accounts has become “opt-in” MFA for “added” security. But as the costs continue to escalate for all, it’s clear that this is a bad solution that leads both to much frustration and to much regret.

Commonly deployed authentication strategies need to be better—less cumbersome and with less added friction. Solutions like Plurilock ADAPT™  for login workflows and Plurilock DEFEND™   for continuous, full-session authentication are multi-factor, out-of-band, and invisible to users, imposing no new steps and no secrets to remember while offering the protection against credential reuse that comes with MFA.

If we’re going to limit the consequences of major data breaches—and the motivation, in the form of stolen credentials and biographical data, that lead to them—invisible solutions like these need to become standard across every online industry. ■

Subscribe to the newsletter for Plurilock and cybersecurity news, articles, and updates.

You're on the list! Keep an eye out for news from Plurilock.