back to article Medical biz LifeLabs fesses up: Hackers slurped 15 million customer records – and we paid them to hand it all back

Canadian medical testing specialist LifeLabs says miscreants were able to break into its corporate network and access systems containing the sensitive and personal records of 15 million customers. While most of the files contained basic information, such as names, home and email addresses, dates of birth, login passwords, and …

  1. Johnny Canuck

    I seem to remember a while back someone bought some servers at an auction in B.C. and there was a ton of data on them. Since the data is from 2016 or earlier the timeline would just about line up.

    1. NixZiZ
      Black Helicopters

      NCIX

      NCIX auctioned off their servers after their bankruptcy and that had a bunch of customer data on it.

      NCIX was a Canadian computer component retail (Much like TigerDirect, CompUSA, Canada Computers, Microcenter...)

      They died in Dec 2017.

      1. Captain Scarlet

        Re: NCIX

        Wasn't the issue there the company selling equipment off had not wiped any drives, as below described in Linus Tech Tips as Linus was an employee.

  2. Johnny Canuck

    This was not NCIX (of Linus Sebastian fame). If I recall, the servers were bought somewhere? and the seller was offering to leave the data on for a pile of extra money.

  3. Wellyboot Silver badge

    85,000 personal medical test results were taken & the thieves rewarded.

    >>>one year of free identity theft and fraud protection services<<< Isn't even a starting point for this, it wasn't an online shopping account.

    Do we have any Canadian cousins who can shed light on local laws covering this?

  4. Cuddles Silver badge

    one year of free identity theft and fraud protection services

    It's a good job things like names, date of birth and medical conditions all magically change every year, so no fraud will be possible using the leaked data once that time is up.

  5. Doctor Evil
    FAIL

    major FU

    It's still not entirely clear (there are conflicting messages on this) what type of attack it was -- whether it was a classic ransomware shakedown without wholesale data extraction from the network, or whether patient information was indeed downloaded.

    If the latter is indeed the case, the company letter includes passwords among the data having been stolen. LifeLabs' CEO, in a statement, was unaware of whether or not the data was stored in encrypted form on their system.

    In 2019, who stores passwords (or, indeed, any contact information from a sensitive data trove like this) in clear text, unencrypted? That's inexcusable, the height of irresponsibility! And if this does prove to be the case, I'll line up to join a class action suit for absolutely criminal negligence.

  6. Doctor Syntax Silver badge

    They got their data back? Ummmm they got a copy back. But these are honest hackers so they can trust them.

  7. Big Al 23

    I'm sure they didn't make any copies or sell the data on the dark web...

  8. Just Enough

    Data leaks are not thefts

    "it got a copy of the information with a promise from the crooks"

    And if there's one thing you can count on, it's a promise from crooks.

    I can't fathom why people still treat data leaks as if they're like theft of something physical. You can't "retrieve" your data. It's gone. It's out there, anywhere. And unless the crooks deleted your copy when they took it, and you have no backups, "retrieving" the data is a totally pointless operation, other than as proof they have it, and still have it. Which is not something you need to pay for. The crooks are happy to send you as many copies of the data as you need to prove they have it.

  9. DanceMan
    Mushroom

    Fire the CEO

    This idiot could not say, two or three weeks after the incident, whether the data had been encrypted. I'm sure the IT guys had some idea about how to safeguard data, but the responsibility for this lies with management, the head of IT and those above him. If the CEO is so clueless he doesn't know this that long after the hack, he needs to go. First for incompetence and second to begin sending a message to others to take this seriously. The frequency of these losses is a stark reminder that CEO's have learned nothing to date.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021