How safe is your data? Expert explains following London Drugs cybersecurity issue

On the heels of London Drugs confirming they were hit by a cyber attack, many Albertans are left wondering how safe their personal information is.

CityNews spoke to John Zabiuk, a cyber security program chair at NAIT who said “There’s no way to really know if your information is truly secure or not. Organizations have the responsibility to not divulge your information, we have to follow certain legislation and acts in Canada and in Alberta, that they can’t release your information except for very specific purposes and with our authorization.”

Zabiuk says companies like London Drugs have private policies that say they won’t release your information without your consent.

“Now, that’s with proper use of your data, that they release it with your consent. But in the event of a cyber attack, the bad guys don’t care about that consent, they’re going to try and get that data and they don’t care whether you’ve given consent or not, they are there to exfiltrate all that data,” he explained.

RELATED:

• London Drugs stores remain closed due to cybersecurity issue
• London Drugs stores across Western Canada closed due to ‘operational issue’

While those companies are guaranteeing data protection, Zabiuk says it’s not known what they are doing to protect that data.

“Is it a lack of encryption, do they have a lack of security resources surrounding the data that allows somebody else to have access to it? We just don’t know that so we can never be 100 per cent sure that our data is safe,” Zabiuk explained.

“The larger the company, the better it is for the bad guys trying to do this. Because of course if it’s a very large company and they can shut them down for a day or two, or as we’ve seen recently — a couple of very large casinos in Las Vegas — they can make a lot of money by decrypting the files. Typically the bad guys will charge money, they will say ‘we need ‘x’ number of bitcoins I order to give you the key to decrypt all of your data’ and the larger the company, the more they can ask because the more it will hurt the company the longer they are out of business. The larger the company, the bigger the payout for the bad guys.”

Looking at London Drugs, Zabiuk says they don’t mention anything about their security systems.

“They don’t actually mention anything specific about the technologies they use, which is good, but they do say they will ‘endeavor to protect our information with security measures that are appropriate for the type of information that is being held.’ So again, it’s fairly generic, but they do tell us they are trying to [protect data.]”

As for what information could have been taken.

“There is a lot of information in that system, including your medications if you’re a customer of London Drugs, medical conditions, history, all of your health information like your Alberta Health Care number, or provincial healthcare number, name, birthdate, address, phone number. Basically, there is a lot of information in there that you probably don’t want to be released out onto the internet.”