[Analysis] LifeLabs Reveals It Paid Ransom in Exchange for Stolen Data

LifeLabs Reveals It Paid Ransom in Exchange for Stolen Data

LifeLabs, the largest provider of general diagnostic and specialty laboratory testing services in Canada, has announced that it paid an undisclosed amount of ransom in exchange for the stolen data of 15 million customers.

Charles Brown, President and CEO of LifeLabs, in a statement, said that the company’s computer systems were illegally accessed resulting in the theft of data belonging to approximately 15 million customers. Stolen data includes name, address, email, login, passwords, date of birth and health card number. The vast majority of the affected customers are from Ontario and British Columbia.

Brown added that laboratory test results of 85,000 customers from Ontario for the period 2016 or earlier were part of the stolen data. The President and CEO of LifeLabs further said that health card information of customers for the period of 2016 or earlier was also stolen.

"Retrieving the data by making a payment,” Brown said was one of the measures that the company took in order to protect customer information. “Personally, I want to say I am sorry that this happened,” he said.

While the President and CEO of LifeLabs said that risk to customers in connection with this cyber attack is “low and that they have not seen any public disclosure of customer data,” he called on affected customers to avail of the company’s one free year of protection that includes dark web monitoring and identity theft insurance.

How the LifeLabs Data Breach Unfolded?

The President and CEO of LifeLabs said that the data breach was discovered as a result of "proactive surveillance” and added that the company “fixed the system issues” related to the cyber-attack.

In a joint statement, the Office of the Information and Privacy Commissioner of Ontario (IPC) and the Office of the Information and Privacy Commissioner for British Columbia (OIPC) said that LifeLabsinformed the two offices on November 1, 2019 about the data breach. The IPC and OIPC said that they will conduct a joint investigation into the data breach at LifeLabs. Among the things to be investigated, the two offices said, will include the scope of the breach and the circumstances leading to it.

“They advised us that cyber criminals penetrated the company's systems, extracting data and demanding a ransom,” IPC and OIPC said in a joint statement. “LifeLabs paid the ransom to secure the data.”

"An attack of this scale is extremely troubling,” said Brian Beamish, Information and Privacy Commissioner of Ontario. “I know it will be very distressing to those who may have been affected. This should serve as a reminder to all institutions, large and small, to be vigilant."

“I am deeply concerned about this matter,” said Michael McEvoy, Information, and Privacy Commissioner for British Columbia. “The breach of sensitive personal health information can be devastating to those who are affected."

While ransom or payment was made, there was no mention that the attack was due to a ransomware – a type of malicious software (malware) that encrypts data and the group or individual behind the malware then demands ransom payment in exchange for decryption key or keys that would unlock the encrypted files.

Cyber Attackers New Modus Operandi

While cyber attackers have been known to steal data from their victims, there’s a scarcity of information showing victims paying ransom in order to get back the stolen data. The latest cyber incident at LifeLabs shows an alarming cyber-attack trend, that is, penetrating the victim's systems, extracting data and then demanding a ransom.

Ransomware attackers, meanwhile, over the past few weeks have openly employed a new tactic in order to force their victims to pay ransom: threatening ransomware victims that failure to pay the ransom will result in the publication of stolen data. This latest modus operandi by ransomware attackers confirms what has been widely known in the cyber security community that ransomware attackers don’t merely encrypt data but they also have ways to snoop and even steal data prior to the data encryption.

In late November of this year, the group behind the ransomware called “Maze” published online the stolen data from one of its victims, Allied Universal after Allied failed to pay 300 bitcoins, then valued nearly $2.3 million USD, within the period set by the malicious group. The group behind the Maze ransomware told BleepingComputer, “We gave them time to think until this day, but it seems they [Allied Universal] abandoned payment process.”

The group behind the Maze ransomware further said that before encrypting any of the victims’ files, these files are first exfiltrated or stolen to serve as further leverage for the victims to pay the ransom.

The group behind the ransomware called “REvil”, also known as Sodinokibi ransomware, recently announced in a hacker forum that it will also leak online the stolen data from ransomware victims who refuse to pay ransom. Other than leaking the stolen data online, the group behind REvil ransomware also said the stolen data from ransomware victims who refuse to pay could be sold.

Maze ransomware initially infects victims’ computers via phishing campaigns or via Fallout exploit kit – a hacking tool that exploits the security vulnerabilities in Adobe Flash Player and Microsoft Windows. REvil ransomware, meanwhile, also initially infects victims’ computers via phishing campaigns and exploit kits, as well as by exploiting a security vulnerability in Oracle’s WebLogic server and by brute-forcing Remote Desktop Protocol (RDP) access.