Some significant infosec privacy incident news in Canada today, following a massive breech of millions of very sensitive #lifelabs health records in 2019!
I recommend reading through the whole report, PDF here: https://www.ipc.on.ca/en/resources/joint-investigation-lifelabs-data-breach
This story gives us a number of really important lessons to share with our executive sponsors, I'll thread some of my own observations:
🧵
=> More informations about this toot | More toots from oration@mastodon.social
The Information and Privacy Commissioner of Ontario released the news yesterday, here: https://www.ipc.on.ca/en/media-centre/news-releases/commissioners-publish-2020-investigation-report-lifelabs-privacy-breach-affecting-millions-canadians
News reporting of the story here: https://www.cbc.ca/news/canada/british-columbia/lifelabs-data-breach-report-1.7393107
Now, on to my own observations. . . .
=> More informations about this toot | More toots from oration@mastodon.social
My Observation 1: It's not okay to try and hide breach investigations behind lawyers and call the information privileged or confidential.
The Court stomped on keeping legislatively mandated investigations privileged, according to the IPC's press release: "privilege did not protect the facts related to the cyberattack, including those facts that must be determined or produced as part of LifeLabs’ legal obligations to investigate and remediate the privacy breach."
=> More informations about this toot | More toots from oration@mastodon.social
For more, refer to paragraph 80 of LifeLabs LP v. Information and Privacy Commr. (Ontario), 2024 ONSC 2194 (CanLII), https://canlii.ca/t/k4bqw
=> More informations about this toot | More toots from oration@mastodon.social
My Observation 2: It's not okay to just say "unauthorized access" or "could include [sensitive information]" when you know for sure that the criminals have exfiltrated your datasets full of sensitive information to their own possession.
But really, the exfiltration was known at the time to have included huge datasets (8.6M people) of very sensitive information (identities, medical diagnostic test results).
=> More informations about this toot | More toots from oration@mastodon.social
What the 2019-12-17 LifeLabs announcement at https://customernotice.lifelabs.com/ said: "LifeLabs recently identified a cyber-attack that involved unauthorized access to our computer systems with customer information that could include [sensitive information]."
=> More informations about this toot | More toots from oration@mastodon.social
My Observation 3: Hacks and breaches are not technical events with technical causes and technical solutions, they are leadership failures derived from executive inattentiveness.
The finding says "LifeLabs failed to have in place and follow policies and information practices that comply with PIPA and PHIPA."
=> More informations about this toot | More toots from oration@mastodon.social
Specifically, patch management and CVE handling were adhoc and siloed, there was no framework or validating oversight to them. There was no centralized inventory of dependencies that the organization could use to apply continuous improvement to managing those dependencies, which is a failure of vendor management and service portfolio design within service management.
=> More informations about this toot | More toots from oration@mastodon.social
My Observation 4: Press releases and generic descriptions are not adequate victim notifications. If you're holding and processing information, with a legal obligation to notify victims on a fixed timeline from an incident, then you should have a plan in advance.
The finding says "not implemented a process to notify all individuals about the details of what ... was compromised without requiring those individuals to make a formal access request. Therefore, LifeLabs has not complied ..."
=> More informations about this toot | More toots from oration@mastodon.social
And (pg. 22): "Considering the nature of the personal health information and personal information involved in this breach, the known criminal intent of the attackers, and LifeLabs’ inability to confirm the attackers’ deletion of the information, it is our view that the risk of harm to individuals impacted by this breach is medium-to-high depending on the types of personal information or personal health information at issue."
=> More informations about this toot | More toots from oration@mastodon.social
On pg. 27, the report talks about how some people were notified about some impacts, but other people weren't notified and many had to jump through hoops to find out what kind of impact they had.
=> More informations about this toot | More toots from oration@mastodon.social
My Observation 5: Your business executive sponsors should not apply their lay interpretations to hand-wave away subject matter expertise.
The report says (pg. 11): "LifeLabs took the position that the vast majority of the information compromised in the breach was not highly sensitive ... Among other claims, ... only 1.5% of the compromised data consisted of laboratory test orders or results and that the other datasets did not ..."
=> More informations about this toot | More toots from oration@mastodon.social
And: "We disagree with LifeLabs’ assessment and find their approach to be very cavalier regarding the privacy of their clients’ health information. For example, we completely reject the idea that health card numbers are not sensitive. All ... was sensitive. The datasets ... contained patient demographic information including one’s health number. ... could be used by an identity thief to steal an individual’s identity and impersonate them to obtain false credit or fraudulent benefits."
=> More informations about this toot | More toots from oration@mastodon.social
My Observation 6: Businesses that hold and process sensitive information are held to a "reasonable" standard for staffing and funding their security capabilities, this is a board responsibility.
The report says (pg. 19): "Before June 2017, LifeLabs did not have any staff responsible for information security as a distinct role. ... [Then in 2018] Four staff dedicated to information security out of 5700 employees represents a mere 0.07% of LifeLabs’ total workforce."
=> More informations about this toot | More toots from oration@mastodon.social
And: "We believe it unacceptable for an organization of LifeLabs’ complexity and size, dealing with large volumes of sensitive personal health information across multiple systems and applications, to have had the level of security staffing that it did."
=> More informations about this toot | More toots from oration@mastodon.social
Further. . . they had no actual policies for security (pg. 22): "However, when the ON IPC and BC OIPC questioned the CISO of LifeLabs under oath, he indicated that the policies were in draft form and were not in effect at the time of the breach and were not in effect at the time that the CISO was questioned."
=> More informations about this toot | More toots from oration@mastodon.social
This is not a failure within a security department or even a failure within IT. This is a failure of the board of directors. In response, LifeLabs has since (pg. 22): "established an Information Security Council with internal and external members who will regularly report to the CEO and the Board of Directors on information security practices and protocols"
=> More informations about this toot | More toots from oration@mastodon.social
This Information & Privacy Commissioner report was written and finalized on 2020-06-25, but LifeLabs threw tons of money at trying to keep it secret from us. The courts quashed the suppression of the report on 2024-04-30, but it was stuck in appeals until this week.
I find it notable that in the interim, Quest Diagnostics announced a $1.35B to buy LifeLabs from OMERS on 2024-07-03, completing the acquisition on 2024-08-26.
=> More informations about this toot | More toots from oration@mastodon.social
Those are just my own personal observations that I wanted to shout out in to this void, and I encourage you to read these things for yourself and reach your own conclusions.
I really do believe that leadership is essential for any org to prevent and handle incidents, so that's the lens I see these things with.
=> More informations about this toot | More toots from oration@mastodon.social
There's lots to be said about the more technical details that change from incident to incident, but the common denominator of ineffective executive leadership is usually the same between the lines.
That said, I'm also on the market for my next gig. If your business needs help with this kind of stuff, I'm at https://www.robrussell.ca/
=> More informations about this toot | More toots from oration@mastodon.social
@oration ... and for all this, claimants in the data-breach class action to get $7.86 each, which was originally set at $150 each.
=> More informations about this toot | More toots from scruss@xoxo.zone
@scruss That's a pittance for you, but $150M from their insurance company!
=> More informations about this toot | More toots from oration@mastodon.social This content has been proxied by September (ba2dc).Proxy Information
text/gemini