LifeLabs announced yesterday in an open letter to customers that it has suffered a cyber attack affecting 10 million customers in Ontario, and 5 million customers in BC. LifeLabs CEO Charles Brown confirmed that customers’ names, addresses, birthdates, email addresses, customer logins and passwords, health card numbers and lab test results were affected by the breach. With regards to laboratory results, 85,000 customers from 2016 or earlier located in Ontario were affected, and that those customers would be contacted directly. Their investigation to date indicates any instance of health card information affected was from 2016 or earlier. If you think you may have been affected by this breach, Lifelabs has set up a phone line you can call for more information, and to take advantage of the one-year identity theft insurance and dark web monitoring. The phone number is 1-888-918-0467. They also say that if you have an account which lets you view your lab results online, you should change your passwords. While no one has confirmed who is responsible for the attack or how it happened, LifeLabs has confirmed that they paid a ransom to get the data back. In their letter to customers, Brown also said that “our cyber security firms have advised that the risk to our customers in connection with this cyber-attack is low and that they have not seen any public disclosure of customer data as part of their investigations, including monitoring of the dark web and other online locations.” Cybersecurity expert Brian O’Higgins told CTV News Channel customers “may have dodged a bullet” since the hackers were likely more interested in obtaining money in exchange for people’s personal data rather than caring about the lab results. The fact the hackers have any personal information at all could lead to identity theft and “that could lead to a world of hurt.” There is no guarantee that the hackers haven’t kept a copy of the data for use at a later date. Former Ontario Privacy Commissioner, Ann Cavoukian, said it’s “virtually impossible to control in terms of getting it back and you don’t know where it might appear.” She added once customers give up their personal data to third parties, they’re at their mercy. She then chastised Lifelabs for not having strong enough security to prevent the data breach: “I say that data at rest (such as the health card numbers and addresses) should be strongly encrypted so it doesn’t serve as a magnet for the bad guys, you don’t want to be an easy target. And that’s what’s so appalling. LifeLabs should have had the strongest security measures in place already.” LifeLabs is working with the privacy commissioners of both BC and Ontario, as well as law enforcement to find out what went wrong. Lifelabs is also offering any customer who is concerned about this incident a free year of protection including dark web monitoring and identity theft insurance from American consumer credit reporting agency TransUnion.