Woe #1 – fleecing otherwise nice people by hacking their health data
It looks like potentially one of the worst hacks in Canadian history. More than 15 million LifeLabs customers may have had data breached in a cyberattack. The details are a bit sketchy, and the story took weeks to come out. There have been multiple versions of the headlines with some indicating “healthcare data stolen” while others referencing “ransomware” —which only highlights how difficult these stories are to cover. This distinction matters because a ransomware attack typically locks down data, which means it may not have been actually stolen. We really don’t know at this point.
Why does this happen? Simple, these attacks are now so common that the media treats them as crime stories rather than tech stories, which means that sometimes the technical details get…confused. Making things worse, it appears that LifeLabs hasn’t exactly been clear and concise with their communications. From my experience, these types of incidents have a heavy fog-of-war around it, which always makes things more difficult.
That said, the impact is potentially devastating as millions of Canadians may have some of their most sensitive personal information out there on the web. What is the value for a cyber-criminal? Well, expert opinion is mixed, but some studies show that health care data can be sold on the dark web for as much as $1,000. At these rates, I suspect that the kind of data is either for high net-worth individuals or those with highly sensitive information. Other studies cite numbers closer to $1 - $50. The primary motivation for stealing this kind of data would be to help with identity theft, or more seriously, to blackmail people with some personal medical information that perhaps you don’t want your friends, family, or employer to know.
Woe #2 – fleecing otherwise nice people by tricking them with reward points
Stealing health data to enable identity theft is a bit of a long con. Alternatively, you can get to someone’s bank account much quicker by setting up a fake domain name to get the credentials of Loblaws PC Optimum members. Full disclosure, my family are very happy and active Optimum users, so the fact that I am gushing a little over this next part has nothing to do with my fiduciary relationship with the organization ;)
This scam works particularly well during the holiday season when credit cards, points cards, and greeting cards are flowing fast and free. With so many transactions going through our various accounts, it is easier to miss something or overlook an obvious scam. In this case, the cyber-thieves used a fake domain name to set up a phishing site that looks a lot like the one you expect from PC Optimum. Thankfully, Loblaws did a fantastic job of getting out in front of it to issue the appropriate warnings to their customers.
This is a classic scam that has been going on forever; heck CIRA finds and blocks over 100,000 new malicious domain names every day as part of delivering our DNS Firewall service to organizations. Why so common? Frankly, because it continues to work well. We have had CTOs tell us their stories about when they accidentally clicked on a malware link, illustrating the fact that everyone gets caught off guard eventually.
No safety in HTTPs
One thing to note from the article liked above is that it seems to imply that you can trust a site that uses HTTPS. This is pretty poor advice as criminals have been known to abuse HTTPs too. Here is a warning from the FBI on the use of HTTPs by criminals using certificates.
While it is nice to see these issues getting more attention from the media (after all PIPEDA now requires organizations to disclose them), what we need now is more cybersecurity education and training for everyone. Much like your mom may have taught you how to cross the street safely, cybersecurity awareness training is something that every Canadian should be interested in.