TORONTO -- After a massive data breach that jeopardized the personal information of more than 15 million Canadians, LifeLabs extended an olive branch to its customers: 12 months of identity theft insurance through TransUnion.
But many of those left compromised by the cyberattack say they are hesitant to hand over more personal data to TransUnion, a credit reporting agency with its own history of data breaches.
鈥淭hey鈥檙e moving our data from one unsecure site to another unsecure site,鈥 LifeLabs customer Bonnie Brugger told CTVNews.ca by phone from her home in rural B.C. last week.
鈥淲hat is being promised by [LifeLabs] is not what we think it is. We鈥檙e putting our identities at further risk.鈥
Shortly after news of the data breach broke, Brugger called a dedicated phone line set up by LifeLabs to activate her coverage through TransUnion. After discovering she needed access to a computer in order to complete the process, she called TransUnion directly and claims she was connected to an India-based call centre.
Already skeptical that her data would be stored outside of Canada, Brugger says she was then asked for her Social Insurance Number (SIN) to confirm her identity.
鈥淵ou have all of this personal and medical information, and then you connect it with a Social Insurance Number,鈥 Brugger said.
鈥淭hey don鈥檛 need anything else to steal your identity. That is beyond gold for a cybercriminal... And if all this is going to a server in India, every alarm bell is going off in my head.鈥
In an emailed statement to CTVNews.ca Thursday, a TransUnion spokesperson confirmed that its customer support agents may request a social insurance number 鈥渨hen locating a customer鈥檚 file or verifying their identity.鈥
However, the company notes that customers are not required to provide TransUnion with that information.
The company also confirmed that Canadian consumer data is only stored on servers inside of Canada.
鈥淚nformation security is a company-wide priority at all levels of our organization,鈥 reads the statement.
鈥淭ransUnion takes a multilayered, risk-based approach to security, which is based on a number of overlapping and redundant controls designed to prevent, detect and respond to cyber threats.鈥
In October, TransUnion confirmed that the personal information of 37,000 Canadians was compromised after one of its business customer鈥檚 login credentials was fraudulently used to access data.
"The unauthorized access was not the result of a breach or failure of TransUnion's systems or our customer's system," a company spokesperson said at the time.
But Brugger isn鈥檛 the only LifeLabs customer to feel wary about TransUnion鈥檚 history -- several people have taken to Twitter to voice their concerns.
In an emailed statement to CTVNews.ca, LifeLabs said the company has discussed previous security concerns with TransUnion and has 鈥渇aith鈥 in the company to provide safe and secure services to its customers.
鈥淭ransUnion has told us that this was an isolated incident involving one of TransUnion鈥檚 business customers and that their systems were not breached and there was no failure of their systems or security controls,鈥 a LifeLabs spokesperson said via email.
鈥淎s such, LifeLabs has faith in TransUnion鈥檚 ability to provide safe and secure credit monitoring and fraud insurance protection to LifeLabs customers who may have been impacted by the breach.鈥
LifeLabs noted that the estimated number of customers impacted by its own security breach has not changed since the initial announcement in December.
Should consumers trust a company with a data breach history? No, experts say
Privacy experts say customers have every right to be wary, especially considering the sensitive medical information already involved in the LifeLabs breach.
鈥淚 wouldn鈥檛 use the word 鈥榯rust鈥 at all,鈥 former Ont. privacy commissioner Ann Cavoukian told CTVNews.ca by phone. 鈥淯nfortunately they have no recourse other than to use Transunion.鈥
Cavoukian, who described the LifeLabs data breach as 鈥渄evastating,鈥 says she is most concerned that the company is only offering one year of personal data protection.
鈥淭he bad guys, the hackers, sit on the data for a year and then they strike,鈥 she explained.
Mahesh Tripunitara, cybersecurity expert at the University of Waterloo, says that a reoccurring theme in both data breaches is the improper archiving of customer information.
鈥淚 love using Google products... [but] the only way I can use Google maps, for example, is to give them my information for them to archive and use as much as they want,鈥 Tripunitara told CTVNews.ca by phone.
鈥淚t鈥檚 the same with LifeLabs鈥攈ow many of us knew they were archiving this information? It鈥檚 probably hidden in some gobbledygook and no one reads that anyway.鈥
Both Cavoukian and Tripunitara agree that companies collecting consumer data need to be more transparent about what kind of information they鈥檙e storing, how long they are storing it for, and what security measures are in place to protect it.
Cavoukian says that starts with consumers demanding to have their data protected.
鈥淐onsumers should be asking companies to protect them,鈥 she said. 鈥淚n posing the question it raises a flag about security and gets them to do more.鈥
Both experts say that the best thing affected LifeLabs customers can do is keep a close eye on their personal and financial data and flag any potential identity theft as soon as it鈥檚 spotted.