Privacy News Hackers Breach Network of LabCorp, US' Biggest Blood Testing Laboratories

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
LabCorp, the US' biggest blood testing laboratories network, announced on Monday that hackers breached its IT network over the weekend.
"At this time, there is no evidence of unauthorized transfer or misuse of data," the company said. "LabCorp has notified the relevant authorities of the suspicious activity and will cooperate in any investigation."

LabCorp shut down parts of its IT systems

LabCorp did not provide any details about the incident but said it shut down various portions of its systems to contain the intrusion.
"This temporarily affected test processing and customer access to test results on or over the weekend," the company said in an SEC 8-K form.

"Work has been ongoing to restore full system functionality as quickly as possible, testing operations have substantially resumed today, and we anticipate that additional systems and functions will be restored through the next several days," LabCorp said.
This could be a dangerous hack

But while the company is trying to play down the incident, the reality is that even the smallest hack affecting this organization has serious repercussions for millions of Americans.

"LabCorp is one of the largest diagnostic laboratories in the world, and, as you may not be aware, is a very critical part of U.S. healthcare infrastructure," Pravin Kothari, CEO of cybersecurity solution provider CipherCloud told Bleeping Computer today via email.

"They have hundreds of networked labs across the United States and all of them are likely interconnected centrally with LabCorp headquarters. This may be one of the largest healthcare networks in the world with connections to many thousands of physician offices, hospitals and their testing facility offices worldwide.
 
F

ForgottenSeer 58943

Idiots after idiots.

Also, I believe there should be a federal law requiring reporting of breaches to the public.

For example I am aware of one of the largest insurance underwriters in the USA getting ransomeware hit last week, then being forced to pay the ransom, and another week of recovery efforts. However they've not disclosed this to anyone and have been working to keep it secret.

If firms have to be embarrassed into establishing proper security and budgets for IT, then so be it. Make it happen.
 

Daviworld

Level 2
Verified
Feb 19, 2018
60
This is extremely troubling in the sense that this could become a big threat to us in the long run, in the past 7 months alone, how many of us have read, seen, or heard about a data breach, mishandling of data, or exposed data online from various players big and small, known and unknown. I feel like if we don't do something to fix this by improving our infosec literacy among the general public, and strengthening our IT security in the public and private sectors. The american way of kicking the can down the road until it blows up in our face might be too late to fix by then. Who knows how compromised we are at this point.
 
  • Like
Reactions: vtqhtr413
5

509322

This is extremely troubling in the sense that this could become a big threat to us in the long run, in the past 7 months alone, how many of us have read, seen, or heard about a data breach, mishandling of data, or exposed data online from various players big and small, known and unknown. I feel like if we don't do something to fix this by improving our infosec literacy among the general public, and strengthening our IT security in the public and private sectors. The american way of kicking the can down the road until it blows up in our face might be too late to fix by then. Who knows how compromised we are at this point.

Data breaches have been happening for decades - and nowadays the data is frequently dumped or peddled on the Dark Web.

This is not a new threat; it is a very old one.
 

Daviworld

Level 2
Verified
Feb 19, 2018
60
Data breaches have been happening for decades - and nowadays the data is frequently dumped or peddled on the Dark Web.

This is not a new threat; it is a very old one.

This is true, but not at the frequency it is happening now. While I occasionally visit the dark web myself just to get an idea of what's going on in the underground world, I do frequently see credentials, exploits, data and such being sold, traded, and abused. Again, like you said this is all old, but the frequency in modern times is alarming to me personally since I deal with a lot of security incidents in my day-to-day job, so maybe my perception is a bit warpped on the issue
 
  • Like
Reactions: upnorth
5

509322

This is true, but not at the frequency it is happening now. While I occasionally visit the dark web myself just to get an idea of what's going on in the underground world, I do frequently see credentials, exploits, data and such being sold, traded, and abused. Again, like you said this is all old, but the frequency in modern times is alarming to me personally since I deal with a lot of security incidents in my day-to-day job, so maybe my perception is a bit warpped on the issue

Yes. The frequency of data breaches is accelerating and their size is growing.

Except for a very few corner cases, people and organizations are not required by law to protect your data. And that is never going to change because of costs.
 
  • Like
Reactions: Daviworld

Daviworld

Level 2
Verified
Feb 19, 2018
60
Yes. The frequency of data breaches is accelerating and their size is growing.

Except for a very few corner cases, people and organizations are not required by law to protect your data. And that is never going to change because of costs.

This is very true, I always forget America doesn't really have any comprehensive data law's like our Europe Counterparts! Unfortunately in America we don't have a GDPR law we can count on :(
 
5

509322

This is very true, I always forget America doesn't really have any comprehensive data law's like our Europe Counterparts! Unfortunately in America we don't have a GDPR law we can count on :(

Read GDPR carefully. There is no mandated minimum security requirement. It is more or less about pseudonymisation as part of the product function, right to erasure, designated personnel to deal with breaches - but nowhere does it state that any person or organization must apply a certain level (minimum standard) of IT security. Not gonna happen... due to costs. They do not have to protect your data; some products must minimize it and give the user control over it. That's it.
 
  • Like
Reactions: harlan4096

Daviworld

Level 2
Verified
Feb 19, 2018
60
Read GDPR carefully. There is no mandated minimum security requirement. It is more or less about pseudonymisation as part of the product function, right to erasure, designated personnel to deal with breaches - but nowhere does it state that any person or organization must apply a certain level (minimum standard) of IT security. Not gonna happen... due to costs.

I'll have to revisit GDPR to confirm my statement below.

But, I could of sworn I read there was at least some expectation's of companies and government's safe guarding European's data, otherwise they would face a fine if they were caught being negligent regarding data security

EDIT:
https://www.eugdpr.org/the-regulation.html


"
Privacy by Design
Privacy by design as a concept has existed for years now, but it is only just becoming part of a legal requirement with the GDPR. At it’s core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. More specifically - 'The controller shall..implement appropriate technical and organisational measures..in an effective way.. in order to meet the requirements of this Regulation and protect the rights of data subjects'. Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing.

Data Protection Officers

Currently, controllers are required to notify their data processing activities with local DPAs, which, for multinationals, can be a bureaucratic nightmare with most Member States having different notification requirements. Under GDPR it will not be necessary to submit notifications / registrations to each local DPA of data processing activities, nor will it be a requirement to notify / obtain approval for transfers based on the Model Contract Clauses (MCCs). Instead, there will be internal record keeping requirements, as further explained below, and DPO appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences. Importantly, the DPO:
  • Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices
  • May be a staff member or an external service provider
  • Contact details must be provided to the relevant DPA
  • Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge
  • Must report directly to the highest level of management
  • Must not carry out any other tasks that could results in a conflict of interest."
This is what I was referring to, from my understanding this seems like a mandated order to include data security at the early levels or else risk fines
 
Last edited:
5

509322

I'll have to revisit GDPR to confirm my statement below.

But, I could of sworn I read there was at least some expectation's of companies and government's safe guarding European's data, otherwise they would face a fine if they were caught being negligent regarding data security

EDIT:
https://www.eugdpr.org/the-regulation.html


"
Privacy by Design
Privacy by design as a concept has existed for years now, but it is only just becoming part of a legal requirement with the GDPR. At it’s core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. More specifically - 'The controller shall..implement appropriate technical and organisational measures..in an effective way.. in order to meet the requirements of this Regulation and protect the rights of data subjects'. Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing.

Data Protection Officers
Currently, controllers are required to notify their data processing activities with local DPAs, which, for multinationals, can be a bureaucratic nightmare with most Member States having different notification requirements. Under GDPR it will not be necessary to submit notifications / registrations to each local DPA of data processing activities, nor will it be a requirement to notify / obtain approval for transfers based on the Model Contract Clauses (MCCs). Instead, there will be internal record keeping requirements, as further explained below, and DPO appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences. Importantly, the DPO:
  • Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices
  • May be a staff member or an external service provider
  • Contact details must be provided to the relevant DPA
  • Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge
  • Must report directly to the highest level of management
  • Must not carry out any other tasks that could results in a conflict of interest."
This is what I was referring to, from my understanding this seems like a mandated order to include data security at the early levels or else risk fines

Those are guidelines - and do not establish a standard. A standard establishes the exact minimum requirements against which an implementation can be measured. A standard is spelled-out in minute detail.

GDPR specifies no standard of security. What does "expert knowledge [of data protection] practices" and "appropriate resources" mean precisely in the overall security implementation and configuration ? Nothing in practical terms. That's what it means. Have fun duking it out in court to define exactly what it means and what the minimum standard actually is.

I can be a DPO and use whatever in my "expert knowledge" I deem fit. I can have multiple PhDs along with top industry certifications and come to this professional conclusion...

Windows Defender is sufficient...

Also, note the DPO is not the security czar. That person is just a DPO. The implementation of the security itself is not defined - what shall be implemented and who shall do it.
 
Last edited by a moderator:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top