The cyberattack on medical diagnostic company LifeLabs targeting the private information of 15 million Canadians — including Kamloopsians — was far from unique, according to Simon Fraser University criminologist Richard Frank.
“A couple of years ago, these [malware attacks] were very frequent against individuals,” Frank said. “Now, a lot more municipalities and larger organizations are falling victim.”
The City of Cranbrook was hit by a malware attack in 2018 that cost $120,000 to resolve. In Ontario, Stratford, Midland and Wasaga Beach also suffered cyberattacks. Wasaga Beach paid $34,000 in ransom, but spent $250,000 to recover from the attack, according to new reports.
“It’s obviously harder to accomplish, but if they do accomplish it, it is a lot more rewarding for the attackers,” Frank, an assistant professor at SFU and director of the International Cybercrime Research Centre, said of the trend to go after companies and municipalities.
LifeLabs CEO Charles Brown didn’t disclose details of the attack, which is still under investigation, only that the company’s regular security screening at the end of October detected an unauthorized access to its systems.
The company immediately acted to shut down the breach and isolate its servers, but information the attackers would have had access to included names, addresses, email, logins, passwords, dates of birth and health-card numbers for some 15-million patients, including most British Columbians.
In addition, test results for 85,000 Ontario residents, prior to 2016, were also compromised.
Brown said his company “retrieved the data” by paying a ransom, on the advice and with the help of experts. The amount paid was not disclosed.
Frank said there are many ways for cybercriminals to attack organizations, but two of the most common are through phishing emails that distribute malware that infect and encrypt an entity’s data or direct hacking through the client-access portal of a website.
Phishing attacks have become quite sophisticated, Frank said, with employees receiving an email that appears to come from a colleague with a request that appears reasonable, but downloads the malicious software.
Training programs that teach employees to recognize phishing have become common, Frank said, and “testing has shown training is effective, but not 100 per cent.”
In direct hacking, Frank said criminals use the public portal of a website to infect systems with malicious code in what is called an SQL injection.
The hackers insert documents giving themselves admin access to systems then “waltz right in and take what they want,” Frank said.
“It’s very complicated to trace back to who’s sitting at the keyboard,” he said.
While Brown said LifeLabs is confident its clients’ data is now secure and there is a low risk of further harm to them, Frank said it is hard to believe criminals wouldn’t keep copies of the data or exploit it in the future.
Brown said the advice LifeLabs received is that the company was the target of the attack, not the information of individuals, noting once criminals get what they want, “they move on.”
All that individual data would be useful in crafting “really nice phishing emails,” Frank said, which is something LifeLabs clients should be wary of now.
LifeLabs made the payment “likely with nothing more than a pinky promise [by the criminals] to get rid of the data,” said Brett Callow, a Vancouver-Island-based threat analyst for the anti-malware software firm Emsisoft.
Callow said it would be a mistake to assume the criminals haven’t copied the information, which could be useful to commit identity theft or to even extort LifeLabs a second time.
“The only way to stop these types of attacks is to make them unprofitable,” Callow said, which means not paying ransoms and focusing on better protecting computer systems.
Lawsuit launched
A Vancouver man has filed a notice of civil claim against LifeLabs in B.C. Supreme Court in an attempt to launch a class-action suit against the company in response to the cyberattack that affected the private information of 15-million Canadians, including patients in Kamloops.
Kenneth Morrison is alleging LifeLabs breached its contract with him to keep his private information safe.
Any B.C. resident who has been a LifeLabs patient before Dec. 17 of this year can join the suit which alleges the company knew of the risk of a data breach and failed to implement sufficiently strong encryption and security safeguards to prevent it from being subject to unauthorized access.
LifeLabs has a number to call — 1-888-918-0467 — for patients of its labs.
Gloss