Laboratory diagnostics and testing services provider LifeLabs revealed Wednesday it had paid hackers to retrieve stolen data of nearly 15 million Canadian customers during a data breach last month.
In a post published on their website, the Toronto-based company admitted an unknown attacker had gained access to its computer system in November and stole the personal and medical information of its customers. Among the information stolen in the breach included the customers’ names, addresses, email addresses, login information, the password for LifeLabs account, birthdays, health card numbers, and lab test results.
“Personally, I want to say I am sorry that this happened. As we manage through this issue, my team and I remain focused on the best interests of our customers. You entrust us with important health information, and we take that responsibility very seriously,” Charles Brown, President, and CEO of LifeLabs, said in a statement.
As cited in the documents filed with the Office of the Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for British Columbia, the breach happened around November 1 this year. During the incident, the company said that the hackers were able to breach their system, extract customer data, and demanded a ransom in exchange for the stolen data.
The company did not disclose the amount of ransom they have paid to the hackers. However, they did clarify that they have made the arrangement with the help of “experts familiar with cyber-attacks and negotiations with cybercriminals.”
CEO Brown also clarified that the company has taken all the necessary measures to protect its customers’ information after the discovery of the incident. Among the several steps, they have taken include reaching out to “world-class cybersecurity experts,” reporting to law enforcement, improving their current systems, retrieving the data by making the payment, as well as providing cybersecurity protection services to customers.
“I want to emphasize that at this time, our cyber security firms have advised that the risk to our customers in connection with this cyber-attack is low and that they have not seen any public disclosure of customer data as part of their investigations, including monitoring of the dark web and other online locations,” President Brown added.
To date, LifeLabs is advising its customers to change their passwords on the company’s site, as well as on other sites where they have reused the password.
"Any customer who is concerned about this incident can receive one free year of protection that includes dark web monitoring and identity theft insurance," LifeLabs added.