Let’s start with the one you may have recently heard about… the ransomware attack on Sobeys-owned stores.
You may not be aware of the vast expanse of their reach, so let’s start with some company info. According to their website, Sobeys Inc. is proudly Canadian, with more than 115 years of experience in the food retail business. As one of only two national grocery retailers in Canada, we serve the food shopping needs of Canadians with approximately 1,500 stores in all 10 provinces under retail banners that include Sobeys, Safeway, IGA, Foodland, FreshCo, Thrifty Foods, and Lawtons Drugs, as well as more than 350 retail fuel locations.”
They go on to list: IGA West, IGA Extra, Marche Tradition, CHALO! FreshCo, Bonichoix, Needs, and Voilà. The website went on to say, “Our core values are our strength and the foundation of who we are: Customer-Driven, People-Powered, Community-Engaged, and Results-Oriented.
And, our purpose – We are a family nurturing families – is our collective passion and mission to nurture the things that make life better, including great experiences, families, communities, and the lives of our employees.”
Sounds like they have their core values and mission firmly in hand. Except, they don’t. You would think a national chain of stores – that is responsible for feeding, fueling, and medicating Canada’s citizens – would prioritize cyber security.
As you know from past articles, Adaptive Office Solutions is all about a multi-layered approach to cyber security. In countless articles, we also write about the number one security threat for businesses… their employees. Combine the two and an essential part of a multilayered cyber security stack is cyber security training. Ongoing cyber security training.
And with a corporation the size of Sobeys – where employees are constantly coming and going – there should be weekly, if not daily, “safe practice” reminders. What did the insider do that created such turmoil and cost the company millions of dollars? Someone (it only takes one person) clicked a link they weren’t supposed to.
BTW, this was no low-level, recent hire. It was an executive.
Inside the turmoil at Sobeys-owned stores after a ransomware attack
In an article by the CBC, they wrote, “Employees of Empire Co., the parent company of Sobeys, have begun to speak out about the turmoil unfolding inside the grocery chain since a ransomware attack began plaguing its computer systems earlier this month.
Workers from across the country say some stores have run short of items because orders cannot be placed as usual, while at others, food that had gone bad initially either piled up or was frozen because it couldn’t be removed from the inventory system.
Pharmacies were unable to fill new prescriptions for a week, customers cannot redeem loyalty points or use gift cards, and staff were concerned last week they wouldn’t get paid because the payroll system is down.
“It’s basically been a mess.… The word that can best describe it — just a mess,” said one employee who works in the front end at a Safeway in western Canada.
The CBC has agreed to protect the identities of employees it has spoken to, as they are worried they’ll be fired if the company knows they shared internal information.
Ransom messages on computers
Empire announced in a news release Nov. 7 that an “information technology systems issue” was disrupting some services, including filling prescriptions at pharmacies. The company did not respond to questions from the CBC last week, but said in a statement Nov. 11 its pharmacies were once again fully operational, though stores were still experiencing challenges.
The company owns 1,500 stores across Canada, including Sobeys, Lawtons, IGA, Safeway, Foodland, Needs and other grocery outlets.
Several cybersecurity experts have said they suspect the company’s systems were hacked, and a ransomware attack — when hackers lock computer systems until money is paid — could be to blame.
The employees who spoke with the CBC said ransomware was indeed the cause of the problem.
“Somebody higher up got an email and basically clicked a link they weren’t supposed to,” said the front-end Safeway employee. “I don’t know the exact dollar figure, but I know it was like millions, like several million.”
The troubles began overnight Thursday, Nov. 3 into Friday, Nov. 4.
When employees arrived for work on Friday, their computers took longer than usual to boot up, and when they finally did, “nothing came up other than this big white block in the middle of the screen that said ransomware, please comply before proceeding, or something like that,” said a worker in a meat and seafood department at a Safeway store.
“I saw the word ransom and that scared me right away.”
Orders at the whim of warehouses
Employees were told not to log in, to unplug certain digital scales, and not to use the scanning equipment that allows them to track inventory.
Without computer systems and handheld scanners, called Telxon guns, stores have not been able to place orders, so in some cases, they have run out of certain items.
After the first day or so of the outage, warehouses began to send products to stores based on what they had available and estimates of what they may need.
“It’s hit and miss what the warehouse is going to send us,” said one employee. “So we’re getting all kinds of weird stuff that we haven’t seen in decades.”
Some stores have not received any orders of a certain product, while others have, so employees from one store have driven over to pick up the needed items from another.
At some stores, staff have been writing out price signs by hand because the system they usually use is not available.
“When we finally get our system back, everything’s going to be so out of whack because nothing is being scanned,” said an employee.
Scheduling and payroll
The computer issues have also disrupted Empire’s ability to maintain its usual scheduling and payroll systems.
“I literally went into work and there was like a schedule written down on a piece of paper and I’m like, what is this?” said a worker.
Some employees are being asked to write down their hours in a logbook.
Employees in the chain are paid every other week, and some were told last week they would not get paid last Thursday, their scheduled payday.
However, workers later told the CBC the company found a workaround: since the first week of the two-week pay period occurred before the ransomware attack, employees would receive the same amount of pay for the second week, even if they did not work the same number of hours. Each employee also received an extra $100 on Thursday to compensate for any extra hours they may have worked the second week.
Once the payroll system is functioning again, any worker who was overpaid will be expected to return overpayments.
Impacts on customers
Many customers are likely unaware of the difficulties employees are dealing with. But some impacts have been clear. On the first day of the outage, some self-checkout machines weren’t working.
“The lineups at the tills, because people aren’t used to that and we pump a lot of people through these self checkouts — so, a lot of pissed-off customers over that,” said a Safeway worker.
Customers have been unable to use gift cards or redeem Scene loyalty points, and stores have been unable to process Western Union transfers — causing frustration for some, one employee said.
The company has not officially told employees the cause of the outage. They have been instructed to simply tell customers it’s an IT issue.
“You kind of feel bad having to like just you know, water it down, what’s really going on, to customers,” said an employee. “You feel like you’re deceiving everybody because there’s more going on behind the doors than what they’re trying to make it out to be.”
Food security concern
Sylvain Charlebois, the director of Dalhousie University’s Agri-Food Analytics Lab, said he has noticed a lot of empty shelves at Sobeys-owned stores since the computer issue began. But so far, Canadians do not seem to be particularly concerned about the issue.
“If it gets worse, maybe at some point people will realize how significant a ransomware hitting the food industry can be,” he said. “This is the No. 2 grocer in the country dealing with cyber terrorism. That’s a big deal.”
He said the hack is worrisome from a privacy perspective because the company holds personal data through credit and debit cards, loyalty programs, and pharmacy prescriptions.
But the disruption is also significant from a food-security perspective. The food retail industry is a high-volume, low-margin sector, so a significant hit from a ransomware attack could bring an entire company down, Charlebois said.
That would mean part of the food distribution system could be disabled, and food prices would likely increase, at least temporarily.
“I have faith in the food industry. They would recalibrate and restart and things like that. But it would take a while,” Charlebois said.
“Cybersecurity is a huge vulnerability for our supply chains for sure, especially when it comes to food. You’re always a ransomware away from seeing food access becoming an issue in Canada.”
All of that because of a single click.
Still not convinced that your business needs a rock-solid cyber security plan? We’ll take a look at 15 other major breaches in Canada.
But, before we do, here’s a reminder from Security Magazine, “Small businesses are attractive targets for cybercriminals because they usually lack the cybersecurity precautions of larger organizations. Forty-three percent of all cyberattacks target small businesses, and the consequences of these breaches can be extremely costly, from lost productivity to company reputation. In fact, 60% of all small businesses victims of a data breach permanently close their doors within six months of the attack.” (It’s a short, but power-packed article. We HIGHLY recommend that you read it!)
Okay, let’s get to the…
Top 15 Cybersecurity Breaches in Canada
In an article by Cyberlands, they wrote, “A whopping 85% of Canadian companies have been affected by cybercriminals in 2021 which is a 7% increase in comparison with 2020.
As the average cost of a data breach for Canadian companies is 5.4 million, both businesses and government take measures to strengthen the cybersecurity on an organizational and national level:
A Canadian company spends on average 11.1% of its IT budget on security.
The government keeps issuing new legislation such as PIPEDA (Personal Information Protection and Electronic Documents Act) and amendments to the current regulations in order to regulate how companies handle the customer- and business-related data.
Below, we’ve reviewed the most infamous cybersecurity breaches in Canada you should have heard, analyzing their causes and outcomes for various companies and enterprises.
#1 IKEA’s Internal Data Breach Impacted Up to 100,000 Canadians
In May 2022, IKEA confirmed the internal security breach reported between March 1-3 current year, when some of its customers’ personal information appeared in a generic search made by an IKEA employee. IKEA Canada PR leader Kristin Newbigging said that the incident hasn’t affected the banking or financial information of their clients.
Nevertheless, many cybersecurity experts claim that along with outside attacks, companies shouldn’t overlook insider threats.In 2020, the cost of insider threats cost $11.45 million and will keep on increasing in the upcoming years. That is why employees should be limited to accessing solely the enterprise data they need to work with. Such a precaution can help to secure the internal data and prevent abusing privileged access.
#2 Financial Services Firm Exposed Personal Data of Over 10 Million Customers
The infamous privacy breach occurred in June 2019 and spanned nearly two years without being noticed. The security department became aware of it only after the organization had been notified by the federal Privacy Commissioner, according to the report.
According to the commissioner’s report, the rogue employee siphoned sensitive personal information collected by Desjardins from customers who had purchased or received products through the organization for at least 26 months. The exposed clients’ data included first and last names, dates of birth, social insurance numbers, street addresses, phone numbers, emails, and transaction histories.
Desjardins’ settlement will provide compensation for identity theft and loss of time related to the personal information breach, paying up nearly $201 million to settle a class-action lawsuit. As mentioned, the overall number of individuals affected by that privacy breach has reached close to 9.7 million Canadians.
To minimize the risks of collection, storage, transmission, or process of any sensitive data, it is recommended to regularly conduct cybersecurity audits and system testing. This investment might seem unreasonable at first, but can help you to timely identify the problems, as well as determine and eliminate the breach-related vulnerabilities.
#3 Telecom Company Bell Canada Reported About the Largest Customer Data Breach
Multiple attacks were also announced by Bell Canada, one of the largest telecommunications companies in the country. According to the announcement in May 2017, the data affected included close to 1.9 million customer email addresses, as well as 1,700 names and phone numbers. The responsibility for the attack wasn’t named, but in the information released it was mentioned the hackers were leaking the information due to Bell’s failure to cooperate with them.
Bell’s representatives have been contacting the affected customers directly to notify them about the incident and advise them to regularly change their passwords and security questions, as well as watch out for suspicious emails. Overall, the information theft has affected nearly 1.9 million customers.
Nevertheless, that’s not the sole cause of a security breach in Bell Canada. Eight months later the company reported a similar case of a data breach that affected up to 100,000 customers. The exposed information included customers’ key personal information, all of which could be sold in underground markets and used for malicious activities.
#4 Home Depot Canada Suffered a Customer Data Leak Following Systems Error
In November 2020, Home Depot Inc. in Canada started receiving the first reports of the data breach that, according to the official press release, “seems to be the result of an internal system error rather than an external attack”. Its customers started receiving reminder emails by mistake for hundreds of orders that were ready to pick up, in some cases users reported receiving up to 1,000 emails per one address or even more. The email content included customer names, email addresses, order numbers, and the last four digits of customer payment cards.
After the confirmation, Home Depot Canada claimed the system error affected a “very small number of customers”, but the cause of the data breach was not disclosed. However, regardless of the small scope of affected clients, there is still a huge threat to customer security, as the personal data leak can be gold for a malicious actor. So, personal information like that can be used for a convincing phishing email, clicking on which the affected customers risk becoming victims.
#5 PayPal-owned Canadian Firm TIO Networks Leaked 1.6 Million Clients’ Records
Global digital payments giant, in December 2017, reported a potential compromise of personally identifiable information for approximately 1.6 million customers on TIO Networks – a Canadian payments platform owned by Paypal.
After the security system vulnerability was detected, TIO Networks immediately suspended all operations of TIO Networks to protect the clients’ data and initiated an internal investigation, in which the experts uncovered multiple cases of unauthorized access to TIO’s network, including areas that stored personal information of some of the company’s customers and customers of TIO billers. Regarding that, the company contacted all customers, billers, and retailers affected as a result of the leak and claimed to keep them updated about the instructions to secure their personal data.
#6 TransUnion’s Major Data Leak May Have Impacted Over 37,000 Clients in Canada
According to October’s 2019 statement, the personal information of about 37 thousand Canadians held by TransUnion may have been compromised in the summer by a third party. The company’s spokesperson David Blumberg claimed that the fraudulent access was gained through the login credentials of one of their business customers between June-July 2019. Since the unauthorized access was not the result of a breach or failure of TransUnion’s systems or the customer’s system, the security breach was detected only a month after.
TransUnion did not disclose what kind of personal information was compromised by the fraudulent login. Still, the credit check by a bank or lender could give access to an individual’s name, date of birth, current and former addresses, information on existing credit and loan obligations, credit repayment history, and potentially their social insurance number.
#7 Canada Post Leaked Personal Data & Orders of Thousands of Cannabis Smokers
In November 2018, the Ontario Cannabis Store (OCS), the only legal supplier in the region at the time of that accident, reported the security accident on their official account on Twitter. The company said hackers accessed the order records of 4,500 customers – it’s roughly 2% of the firm’s customer base. The compromised information included names or the initials of nominated signatories, postcodes, dates of delivery, OCS reference numbers, Canada Post tracking numbers, and OCS corporate names and business addresses.
After the breach was uncovered, Ontario Cannabis Store and Canada Post have been working together to investigate the causes, but the failure by Canada Post to inform customers led to the OCS company taking immediate actions to notify the customers.
Regardless of over 1,000 complaints relating to OCS service, billing issues, and late deliveries received by a local ombudsman, the company still insists that the name of buyers, unless they were accepting the delivery, delivery address, and contents of the order and payment details were not compromised.
#8 Nissan Canada Breach Resulted in a Major Leak of Over 1 Million Customers’ Data
During the last week of 2017, Nissan Canada Finance (NCF) reported about the unauthorized access dated December 11 current year, in which all the current and former customers may have had their details compromised in a data breach. To tackle all the related questions, the company released a statement on their website with the details about the breach, which should definitely become a common practice of any reputable company today.
Due to the official announcement, the data breach may have affected customers who financed their vehicles through Nissan Canada Finance and INFINITI Financial Services Canada. The data that could have been affected in the result covers customer name, address, vehicle information (model, manufacturing date and VIN code), and banking information.
The company responded to a data breach at the highest level: its representatives have contacted Canadian privacy regulators, law enforcement, and leading data security experts to help investigate; the clients have been offered 12 months of credit monitoring services through two national credit bureaus at no cost. Additionally, NCF provided contact links and comprehensive knowledge bases for more information about how customers can protect themselves.
#9 Superior Plus, Canadian Propane Distributor, Has Reported a Security Incident
Canada’s largest propane distributor with roughly 800,000 customers across the U.S. and Canada has announced a major ransomware attack started on December 12, 2021. To secure the internal system during the attack and start the investigation process, Superior Plus temporarily disabled certain computer systems and applications. Additionally, the company drafted cybersecurity experts to help deal with the incident and assess the impact of the breach.
The official announcement said that during the investigation process there was no evidence that client security or any personal data had been compromised. However, Superior was unclear about which ransomware group might be behind the attack or which systems were affected. Still, third-party cybersecurity experts warn that the fact Superior has taken certain systems offline is an indication that the attackers were successful.
A similar case happened to Superior’s biggest competitor, AmeriGas, which was also impacted by a cyberattack earlier this year. This means that it’s never been more important to tighten up and get the security practices right: least privileged and resilient, yet planning for the worst and timely detecting the possible threats.
#10 Over 2.5 Million Canadians’ Data from Cosmetics Giant Yves Rocher Potentially Leaked
In September 2019, the personal data of about 2.5 million Canadian customers of cosmetics brand Yves Rocher were left exposed on an unsecured database. Cybersecurity researchers have discovered the system vulnerability was located in the Elasticsearch database, where Yves Rocher clients’ data was saved on. According to the primary sources, the data affected include first and last names, dates of birth, phone numbers, email addresses, and zip codes. This security vulnerability enabled third parties to access the API of the internal database used by Yves Rosher employees, with the ability to add, delete, and/or modify said data.
In addition to that, the data exposed also contained gigabytes of internal information, such as store traffic statistics, turnover, order volumes, product details, offer codes, and even ingredients for more than 40,000 retail products. Such a large data leak put the reputation of cosmetics brand Yves Rosher under question, and so was the security of its client data and the company’s internal system.
#11 Lifelabs Data Breach Affected Over 15 Million Canadians
The LifeLabs company is the largest provider of medical lab diagnostic services in Canada, so almost half of Canada’s total population has had some sort of testing done by this vendor – and that’s what makes this security breach stand out from other cases.
According to the news sources, the data breach occurred in October 2019 and is considered to be the largest in Canada in terms of personal record count. The company didn’t reveal the ransomware attack until December 17, when the official statement was posted on their website. Having affected the personal information of an estimated 15 million Canadians already (it’s nearly 40% of all Canadians), a civil lawsuit introduced in Toronto was seeking a total of $1.14 billion in damages.
In their public statements, LifeLabs indicated they have made a certain sort of payment to retrieve the data, without clarifying the success of this operation and details of the attack. It’s worth mentioning that there is still no guarantee that paying a ransom to get the data out of unauthorized hands, so neither the company nor its customers can be entirely sure that copies were not made.
#12 CVS and Walmart Canada Claimed About a Customers’ Banking Data Breach
In July 2015, CVS and Walmart Canada retailers informed that a data breach at their Canadian information technology vendor may have leaked credit card information from their online photo processing websites, possibly compromising data on millions of users. To secure the customer data, retailers temporarily shut down the online photo processing services and related mobile services and initiated an internal investigation to evaluate the scope of the breach and damages. Additionally, customers have been informed about checking their credit card records for any suspicious activity, but the overall number of affected people remained uncertain.
According to the official information, PNI Digital Media provides not only the hosting services for the photosites and customer payment information, the vendor is also providing software for the online photo processing services of a third retailer, Costco. After the issue was discovered, PNI was additionally investigating a potential credit card data security issue, reassuring the protection of the information is their number one priority.
#13 Panasonic Confirmed the Data Breach of 2.7 GB
In April 2022, Japanese technology giant Panasonic officially confirmed its Canadian operations were hit by a February cyberattack that affected internal systems, processes, and networks. The company, however, did not confirm whether the incident was the result of a ransomware attack, what data was accessed and how it worked, or what was the scope of the data affected.
The responsibility for the attack was claimed by the Conti ransomware-as-a-service group, saying that they obtained more than 2.7 gigabytes of data from Panasonic Canada. As proof, they’ve provided a leaked page with Panasonic internal files, spreadsheets, and documents belonging to HR and accounting departments.
Regardless of Panasonic’s efforts to restore the operations and data, and continuously improve the security of their internal systems, that’s not the first time the company’s experienced a data breach. A similar incident happened six months prior, in November 2021, when Panasonic confirmed a third party accessed its network and data.
Nevertheless, this company is not alone: according to SonicWall’s 2022 Cyber Threat Report, governments worldwide saw a 1,885% increase in ransomware attacks, which only confirms the importance of strengthening cybersecurity precautions.
#14 Canadian Internet Service provider Rogers Communications Suffered from a Massive Data Breach
Toronto-based Rogers – one of Canada’s largest telecom providers has confirmed the information about the massive company and client data leak from March 1, 2015, when the group of hackers calling itself TeamHans linked to a dump of allegedly stolen data on Twitter. It is reported that the leaked data includes emails and contact details of 50 to 70 mid-size businesses whose accounts were managed by the targeted Rogers employee. Since the accident, the company hasn’t authenticated the security breach, but the leaked Rogers breach report says that “a large number of [the employee’s] corporate emails were forwarded to 2 suspicious-looking email accounts on Feb 21st”.
#15 National Healthcare Chain Homewood Health Confirmed the Recent Data Breach Hit
On July 19, 2021, stolen documents were put up for sale on Marketo by ransomware. The files appeared to be agreements between Homewood Health and the University of Lethbridge, in addition to a list of persons with a provincial workers’ compensation board. The company itself hasn’t commented on the accident but confirmed the security breach to CTV news. The responsibility for the data breach has been pinned on Hafnium, a group of state-sponsored Chinese hackers.
Conclusion
These were the most infamous cybersecurity breaches in Canada to know so far. We hope that the experience of these companies and enterprises has helped you to gain more knowledge about cyberattacks and define the most effective strategies for improving the security of your business.”
Every single device that connects to the internet poses a cyber security threat, including that innocent-looking smartwatch you’re wearing. Adaptive’s wide range of experience and certifications fills the gaps in your business’s IT infrastructure and dramatically increases the effectiveness of your cybersecurity posture.
At Adaptive Office Solutions, cybersecurity is our specialty. We keep cybercrimes at bay by using analysis, forensics, and reverse engineering to prevent malware attempts and patch vulnerability issues. By making an investment in multilayered cybersecurity, you can leverage our expertise to boost your defenses, mitigate risks, and protect your data with next-gen IT security solutions.
Using our proactive cybersecurity management, cutting-edge network security tools, and comprehensive business IT solutions you can lower your costs through systems that are running at their prime; creating greater efficiency and preventing data loss and costly downtime. With Adaptive Office Solutions by your side, we’ll help you navigate the complexities of cybersecurity so you can achieve business success without worrying about online threats.
To schedule a Cyber Security Risk Review, call the Adaptive Office Solutions’ hotline at 506-624-9480 or email us at helpdesk@adaptiveoffice.ca