Western students were likely affected by a massive data breach, according to an expert, after 15 million Canadians’ data was stolen from medical testing company LifeLabs.
The largest such company in Canada was hacked in October, breaching its patients’ personal information — including usernames, passwords and health card numbers — and 85,000 blood tests from 2016 and prior. All of the data is from Ontario and British Columbia.
LifeLabs is responsible for medical testing at Western University with its clinic in the University Community Centre. Students doing STI screens or even routine blood tests could have been compromised by the hack.
Colin Couchman, director of Western Technology Services, said students frequently use their school email and the same password for various accounts, including the account to access their private LifeLabs test results.
This puts Western in a precarious situation, as the attackers may now have access to students’ account credentials. But the risk comes as Western is introducing a major shift in email security, which Couchman said should neutralize any new dangers posed by the stolen data.
Western University released a statement directly following the attack, urging students with LifeLabs accounts to change their email passwords.
LifeLabs is unable to share client information, including the number of Western students impacted by the breach. But Couchman said he assumes the number of students who have used the service is “probably quite high.”
“If the password and usernames that were used to create those accounts on LifeLabs are breached and are out there, then it is possible that those criminals could have accessed people’s accounts at Western with those credentials,” he said.
Hackers used a “ransomware” attack to take control of LifeLabs’ data and move it behind a new wall of security that only they could bypass. LifeLabs then paid ransom to retrieve the data, only announcing the breach afterward on Dec. 17.
Western throughout the year will implement a new cybersecurity plan spearheaded by Couchman. While it’s not a direct response to the breach, the changes are meant to secure the university’s system against attacks like this — even if students use the same password for various accounts.
Extra security step coming to UWO emails
University email accounts will require two-factor authentication as of the fall semester, meaning students will need to use their password as well as a second code sent to a cellphone or other device to log in.
“The second factor is something that [only] you have,” he said. “Only you have that device, and the criminals don’t have access to it, nor can they hack it — so it’s a good, effective combination to make sure you are who you say you are.”
Couchman expects that the extra layer of security will “completely nullify” the risk of a security breach, and the possibility of phishing or spam emails that plague Western inboxes year-round.
Student accounts will be transitioned to the new system over the summer, while staff and faculty will begin on a rolling basis this semester.
Couchman said he is confident that Western is well protected, but noted that ransomware attacks are becoming more prominent.
Ransomware attacks gain access to an account, use it to access important data, and then encrypt it — demanding ransom in exchange for the key to unlock the information. Payments are typically demanded over Bitcoin, an anonymous way to pay.
And while most ransomware attacks end as the company is able to unlock their data once again, there’s no telling what the cybercriminal did while they had the information.
“There is a high risk that data was removed from those databases, or copied … in the form of usernames, passwords, health card numbers and things of that nature,” Couchman said.
LifeLabs data is in a similar position. It was returned by its captors, but they could have any number of copies for other purposes.
Customers can get in touch with LifeLab’s call centre to find out if their information was involved in the breach.