The Canadian health diagnostics firm LifeLabs reported it payed cybercriminals an undisclosed amount of money to retrieve customer data stolen in a recent cyberattack.

LifeLabs president and CEO Charles Brown said the decision to pay the malicious actors was taken in in collaboration with cybersecurity experts familiar who handle cyberattacks and negotiations with cybercriminals. The data accessed in the attack included name, address, email, login, passwords, date of birth, health card number and lab test results, the company said.

“It looks like the criminals were successfully able to extort money from LifeLabs, but paying criminals is no guarantee they won’t re-sell the data, or use it to compromise users further. So customers should be wary of any emails they receive, particularly ones which may claim to be from LifeLabs. Additionally, customers should take advantage of any identity theft protection that is offered and keep an eye on their credit records,” Javvad Malik, security awareness advocate, KnowBe4.  

Brett Callow, a threat analyst with Emsisoft, vehemently disagreed not only with LifeLabs’ decision to pay, but for believing the bad guys would not keep a version of the purloined data.

“Bottom line. They gave the criminals $X, helped fuel the cycle of cybercrime, customer data is still in the hands of cybercriminals and will likely be released at some point or used to perpetrate ID fraud or used to extort money from LifeLabs a second time,” he told SC media.

LifeLabs did not describe how or when the attack took place, but said the database accessed contained information on about 15 million of its customers, most of whom are from British Columbia and Ontario with a few in other provinces. The lab test results involved cover 85,000 from Ontario from 2016 and earlier.