Cybersecurity threat analyst says LifeLabs made "absolutely terrible decision" by paying ransom

Like possibly millions of British Columbians, Brett Callow believes that his personal information may have been compromised by a cyberattack on LifeLabs.

And Callow, a threat analyst at the anti-malware software firm Emsisoft, told the Straight that it was an "absolutely terrible decision" for the Toronto-based company to pay ransom.

In an open letter to customers, LifeLabs president and CEO Charles Brown revealed that it made a payment to the unknown cybercriminals to retrieve data relating to 15 million customers.

"It's akin to paying a blackmailer in the hope that they will return an incriminating photo to you," Callow said by phone. "They may return the photo but then they also kept a copy. LifeLabs is working on nothing more than a pinky promise that the data won't be used."

Emsisoft is an associate partner in the No More Ransom Project, which is a European Police Office initiative to discourage companies from paying cybercriminals who hijack IT systems.

LifeLabs president and CEO Charles Brown did not use the term "ransomware" in the open letter, which emphasized that the company's security systems have since been upgraded.

This morning, Brown told CBC Radio One Early Edition host Stephen Quinn that he didn't know if his company's data had been encrypted.

While many media outlets have described this as a ransomware attack, Callow questioned whether this is the proper terminology.

Ransomware often involves applying a digital lock to IT systems, which will only be released after money was paid.

"At this point, it isn't clear whether this was a ransomware attack or simply an act of data theft," Callow said. "It's hard to say. If the bad guys have your data, you obviously can't pay to get it back.

"You're just paying for that promise that they won't use it or release it," he continued. "If this was a ransomware attack, though, their systems likely would have been knocked off line for several weeks. And that probably wouldn't have gone unnoticed."

He also blasted LifeLabs for taking so long to inform the public. The company noticed problems in late October.

"People have a right to know if their data has been compromised."

Today, the first lawsuit has been filed in B.C. Supreme Court against LifeLabs in connection with the security breach. According to CBC News, the plaintiff, Kennet Morrison, is hoping to have it certified as a class action.

The Straight asked Callow what advice he would give to the Ontario and B.C. information and privacy commissioners who are investigating the LifeLabs data breach.

"If I'd assume LifeLabs acted in accordance with the law, my advice would be that the law needs to be changed—and that disclosures need to be made much, much more quickly," he replied. "It simply isn't acceptable that the public has to wait a month and a half to find out that their data has potentially been compromised during that time. It could be used to commit identity theft and [for] all manner of other purposes."

Callow speculated whether there are parallels between the LifeLabs hack and what recently occurred at a Manitoba-based insurance brokerage called Andrew Agencies.

In that case, a ransomware attack was not publicly disclosed and was only confirmed after its name appeared on a list of targets that had appeared online.

Emsisoft recently released a report saying there were at least 948 government agencies, educational establishments, and health-care providers in the U.S. that were hit with ransomware attacks in 2019. The potential costs added up to more than US$7.5 billion.

According to the report, these attacks put people's safety at risk as surgical procedures were cancelled, emergency patients had to be sent to other hospitals, medical records were inaccessible, and jail doors could not be remotely opened.

"The fact that there were no confirmed ransomware-related deaths in 2019 is simply due to good luck, and that luck may not continue into 2020," Emsisoft chief technology officer Fabian Wosar said. "Governments and the health and education sectors must do better."