Are LifeLabs hack victims risking their privacy to get free credit monitoring?
LifeLabs signage is seen outside of one of the lab's Toronto locations, Tuesday, Dec. 17, 2019. (THE CANADIAN PRESS/Cole Burston)
TORONTO -- After a massive data breach that jeopardized the personal information of more than 15 million Canadians, LifeLabs extended an olive branch to its customers: 12 months of identity theft insurance through TransUnion.
But many of those left compromised by the cyberattack say they are hesitant to hand over more personal data to TransUnion, a credit reporting agency with its own history of data breaches.
“They’re moving our data from one unsecure site to another unsecure site,” LifeLabs customer Bonnie Brugger told CTVNews.ca by phone from her home in rural B.C. last week.
“What is being promised by [LifeLabs] is not what we think it is. We’re putting our identities at further risk.”
Shortly after news of the data breach broke, Brugger called a dedicated phone line set up by LifeLabs to activate her coverage through TransUnion. After discovering she needed access to a computer in order to complete the process, she called TransUnion directly and claims she was connected to an India-based call centre.
Already skeptical that her data would be stored outside of Canada, Brugger says she was then asked for her Social Insurance Number (SIN) to confirm her identity.
“You have all of this personal and medical information, and then you connect it with a Social Insurance Number,” Brugger said.
“They don’t need anything else to steal your identity. That is beyond gold for a cybercriminal... And if all this is going to a server in India, every alarm bell is going off in my head.”
In an emailed statement to CTVNews.ca Thursday, a TransUnion spokesperson confirmed that its customer support agents may request a social insurance number “when locating a customer’s file or verifying their identity.”
However, the company notes that customers are not required to provide TransUnion with that information.
The company also confirmed that Canadian consumer data is only stored on servers inside of Canada.
“Information security is a company-wide priority at all levels of our organization,” reads the statement.
“TransUnion takes a multilayered, risk-based approach to security, which is based on a number of overlapping and redundant controls designed to prevent, detect and respond to cyber threats.”
In October, TransUnion confirmed that the personal information of 37,000 Canadians was compromised after one of its business customer’s login credentials was fraudulently used to access data.
"The unauthorized access was not the result of a breach or failure of TransUnion's systems or our customer's system," a company spokesperson said at the time.
But Brugger isn’t the only LifeLabs customer to feel wary about TransUnion’s history -- several people have taken to Twitter to voice their concerns.
In an emailed statement to CTVNews.ca, LifeLabs said the company has discussed previous security concerns with TransUnion and has “faith” in the company to provide safe and secure services to its customers.
“TransUnion has told us that this was an isolated incident involving one of TransUnion’s business customers and that their systems were not breached and there was no failure of their systems or security controls,” a LifeLabs spokesperson said via email.
“As such, LifeLabs has faith in TransUnion’s ability to provide safe and secure credit monitoring and fraud insurance protection to LifeLabs customers who may have been impacted by the breach.”
LifeLabs noted that the estimated number of customers impacted by its own security breach has not changed since the initial announcement in December.
Should consumers trust a company with a data breach history? No, experts say
Privacy experts say customers have every right to be wary, especially considering the sensitive medical information already involved in the LifeLabs breach.
“I wouldn’t use the word ‘trust’ at all,” former Ont. privacy commissioner Ann Cavoukian told CTVNews.ca by phone. “Unfortunately they have no recourse other than to use Transunion.”
Cavoukian, who described the LifeLabs data breach as “devastating,” says she is most concerned that the company is only offering one year of personal data protection.
“The bad guys, the hackers, sit on the data for a year and then they strike,” she explained.
Mahesh Tripunitara, cybersecurity expert at the University of Waterloo, says that a reoccurring theme in both data breaches is the improper archiving of customer information.
“I love using Google products... [but] the only way I can use Google maps, for example, is to give them my information for them to archive and use as much as they want,” Tripunitara told CTVNews.ca by phone.
“It’s the same with LifeLabs—how many of us knew they were archiving this information? It’s probably hidden in some gobbledygook and no one reads that anyway.”
Both Cavoukian and Tripunitara agree that companies collecting consumer data need to be more transparent about what kind of information they’re storing, how long they are storing it for, and what security measures are in place to protect it.
Cavoukian says that starts with consumers demanding to have their data protected.
“Consumers should be asking companies to protect them,” she said. “In posing the question it raises a flag about security and gets them to do more.”
Both experts say that the best thing affected LifeLabs customers can do is keep a close eye on their personal and financial data and flag any potential identity theft as soon as it’s spotted.