Cyberattacks Involving Data Theft Coupled with Ransom Demand Are Becoming Common

Cyberattacks involving the theft of personal information coupled with ransom demand are becoming prevalent.

The cyberattack on LifeLabs exemplifies the trend of data theft coupled with ransom demand. In November 2019, LifeLabs informed the Office of the Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for British Columbia that cybercriminals penetrated the company’s systems, extracted data and demanded a ransom. LifeLabs is Canada’s largest provider of general and specialty laboratory testing services. The company reported that it supports 20 million patient visits each year and conducts more than 100 million laboratory tests each year.

In December last year, Charles Brown, president and CEO of LifeLabs, said in a statement that information relating to approximately 15 million Canadians on the company’s computer systems were potentially accessed in the data breach. The vast majority of affected customers are from Ontario and British Columbia.

The president and CEO of LifeLabs also admitted that the company retrieved the stolen data by making a ransom payment. “We did this [ransom payment] in collaboration with experts familiar with cyber-attacks and negotiations with cyber criminals,” the president and CEO of LifeLabs said.

In a recently published investigation report, the Office of the Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for BC found that LifeLabs failed to protect the personal health information of millions of Canadians resulting in the data breach in 2019. Full details of the investigation report, however, haven’t been revealed to the public as the two offices said that LifeLabs claims that information it provided to the two offices is privileged or otherwise confidential. The two offices added they intend to publish the full report publicly unless Lifelabs takes court action.

The Office of the Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for BC issued the following orders to LifeLabs: to improve specific practices regarding information technology security, to formally put in place written information practices and policies with respect to information technology security, and to cease collecting specified information and to securely dispose of the records of that information which it has collected.

“Our investigation revealed that LifeLabs failed to take necessary precautions to adequately protect the personal health information of millions of Canadians, in violation of Ontario’s health privacy law,” Brian Beamish, Information and Privacy Commissioner of Ontario, said in a statement. “This breach should serve as a reminder to organizations, big and small, that they have a duty to be vigilant against these types of attacks.”

The order from the Office of the Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for BC, however, didn’t impose monetary penalties on LifeLabs as, to date, both offices can’t impose monetary sanctions. “This investigation also reinforces the need for changes to BC’s laws that allow regulators to consider imposing financial penalties on companies that violate people’s privacy rights,” Michael McEvoy, Information and Privacy Commissioner of British Columbia, said in a statement. “This is the very kind of case where my office would have considered levying penalties.”

The Ontario government, meanwhile, last March 25, amended the province’s health privacy law. Once implemented, Ontario will become the first province in Canada to give the Office of the Information and Privacy Commissioner the authority to levy monetary penalties against individuals and companies that violate Ontario’s Personal Health Information Protection Act (PHIPA).

Theft of Personal Information Coupled with Ransom demand

“Data breaches involving the theft of personal information coupled with a ransom demand are becoming commonplace,” Justice Edward Belobaba of the Superior Court of Justice Ontario, said in the case of Grossman v Nissan. “In some cases, the loss of privacy and actual harm sustained is significant; in other cases, it is slight. But in almost every case a class action is sure to follow.”

Grossman v Nissan case arises from the December 2017 cyber incident in which an unknown Nissan employee accessed a company database that contained the personal information of the company’s customers. The unknown Nissan employee then emailed a sample of the stolen data to the company executives and demanded the payment of a ransom.

In the case of the data breach on Lifelabs, with the pending publication of the full report of the Office of the Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for BC, it isn’t known whether the data breach simply involved stealing of data and ransom demand or whether it also involved a ransomware – a type of malicious software (malware) that encrypts victims’ computer files, preventing legitimate users from accessing these files and demanding from victims ransom payment in exchange for the decryption keys that may or may not unlock the encrypted files.

In recent months, over a dozen ransomware groups have named and shamed ransomware victims who refuse to pay ransom and further threaten victims that continued refusal to pay the ransom will result in the publication of their data – stolen prior to the encryption. The group behind the ransomware called “REvil” recently created a site similar to eBay, auctioning the stolen data of ransomware victims. All these points to the direction that ransomware groups steal data prior to encrypting victims’ files.

In the blog post “Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk“, Microsoft Threat Protection Intelligence Team said that “while only a few of these [ransomware] groups gained notoriety for selling data, almost all of them were observed viewing and exfiltrating data during these attacks, even if they have not advertised or sold yet.”

While ransomware is the new reality, there are simple ways to mitigate these risks. Speak with one of our IT security and IT services experts today and, tell us about your infrastructure, and learn how we can help you protect your organization today.

To schedule a free consultation, please call (416) 920-3000 or email us at sales@genx.ca