Earlier this month, LifeLabs—a medical testing laboratory used by millions of patients and their physicians—announced that it had become the target of a serious cyberattack.
In the attack, which was discovered in late October, private records for some 15 million patients—including health data, lab results, biographical information, and login information—were compromised and then held for ransom by attackers.
LifeLabs paid the ransom to regain access to the data, but the incident raises good reasons for serious concern:
There is no reason to assume that the attackers have not preserved copies of the breached data
There is no reason to assume that the attackers do not plan to sell the data on the dark web, or that they have not already done so
Details of the breach did not become public until weeks after the attack occurred
The mechanism of behind the attack hasn't yet been revealed, but the Office of the Information and Privacy Commissioner (OIPC) for British Columbia says that "cyber criminals penetrated the company's system, extracting data and demanding a ransom," all of which suggest a data breach—not merely an encrypt-in-place malware attack.
What does an incident like this tell us? Here are three conclusions that can already be drawn, even before authorities have released more detail about the incident.
Out-of-band Multi-Factor Authentication (MFA) Needs to Be Everywhere
Following the initial attack, it was more than a month before LifeLabs and authorities to begin to notify affected patients and consumers—despite the fact that affected data included, to reiterate:
Various biographical data including birth dates
Those two items are more than enough to compromise many other accounts not protected by MFA, since consumers routinely reuse login information, despite warnings, and since biographical data is routinely used to gatekeep password reset workflows.
It appears to be sheer dumb luck that authorities say they haven't seen compromised credentials from the LifeLabs breach in active circulation among criminals—but with MFA use still lagging in the real world, the potential for the effects to reach into consumers' banking, e-commerce, and other life activities is great.
From the corporate perspective, even if you're not LifeLabs, if you do business online with consumers you should be using strong, out-of-band MFA—because someone somewhere is inevitably going to be a LifeLabs again. And again. And again.
We've seen enough by now to know that each time one of these breaches happens, crooks tend to come away with enough data about countless individuals—even reusable biometric data in some cases these days—to get into thousands, hundreds of thousands, or even millions of consumer accounts on other critical services and systems.
Unless, that is, those accounts are protected by strong MFA.
Authorities Need to Move More Quickly to Notify, Even If It's Painful
In the meantime, reporting gaps of weeks or even months between a breach and notification that a breach has occurred need to be eliminated.
We get it—companies are loathe to move quickly to start the catastrophic press coverage that a breach is sure to create, and authorities want to be cautious so as to deliver accurate information to the public.
The fact is, however, that MFA isn't deployed everywhere just yet—and that each day that passes between a breach and the public's awareness of it is another day on which consumers:
Don't know to change their passwords
Don't know to finally enable MFA where they've had the choice but put it off
Don't know to check their accounts and records for illicit activity
In today's world, we think that's ultimately unacceptable. With millions of lives and fortunes at stake in each of these incidents, true "caution" isn't in delaying an announcement until concrete facts are in—it's in telling every potentially affected consumer that they're at risk as early as is humanly possible.
Only that way can the fallout from these breaches be limited to the greatest possible extent.
MFA Needs to Become More Palatable
The fact that in 2019 we're still having part-worried, part-wistful discussions about how everyone needs to deploy MFA shows that work needs to happen in the MFA world as well.
Consumers are angry—and afraid—as the march of large data breaches across international news headlines continues—yet they and the organizations that serve them continue to drag their feet when it comes to MFA deployment.
This is no accident. The average consumer already struggles to remember usernames and rule-encumbered passwords. Adding yet another step to login flows is something that consumers—and by extension, the companies that serve them—dread.
The de-facto standard among companies that support MFA for consumer accounts has become "opt-in" MFA for "added" security. But as the costs continue to escalate for all, it's clear that this is a bad solution that leads both to much frustration and to much regret.
Commonly deployed authentication strategies need to be better—less cumbersome and with less added friction. Solutions like Plurilock ADAPT for login workflows and Plurilock DEFEND for continuous, full-session authentication are multi-factor, out-of-band, and invisible to users, imposing no new steps and no secrets to remember while offering the protection against credential reuse that comes with MFA.
If we're going to limit the consequences of major data breaches—and the motivation, in the form of stolen credentials and biographical data, that lead to them—invisible solutions like these need to become standard across every online industry. ■