London Drugs is the latest, likely not the last, victim of cybercrime
Digital attack `something that's just an ever-present threat,' consultant suggests
While London Drugs' 79 stores remained closed Tuesday grappling with the aftermath of a still undisclosed cyberattack, retail experts are bracing for the next likely instance in an increasingly connected world.
“This is something that's just an ever-present threat,” said retail consultant David Ian Gray of the firm Dig360 Consulting.
News that the retail giant, with estimated $3 billion in sales in 2022, according to a 2023 ranking by the magazine B.C. Business, had been victim of an attack was just the latest high-profile incident in a list that included bookstore Indigo.
Indigo, in early 2023, was hit with a ransomware attack, the most common attack that companies face, according to research by the law firm Blakes, and saw its online operations shut down for a month.
The cybersecurity firm Fortinet recorded a 35 per cent rise in cyberattack alerts in 2023, versus 2022, “highlighting a surge in cyberthreats across various sectors,” according to the firm's global security strategist, Derek Manky.
“(Ransomware) and other attacks are becoming increasingly specific and targeted, thanks to the growing sophistication in attackers' tactics, techniques and procedures,” Manky said in a statement.
Gray said the extent to which retail trade has been digitized, giving customers real-time access to store inventories, down to single items in particular stores, is what brings operations to a halt.
“The speed to which (retail) is becoming digitized just opens up mass complexity around how to really make sure you've got (security) covered,” Gray said.
He estimated that London Drugs will remain closed, and unlikely to say a lot about the incident, until the chain is “100 per cent certain” it has secured its operations.
London Drugs, in a statement Tuesday, said it's working with a “leading third-party cybersecurity expert” to determine whether anyone's personal information was compromised and “bring our operations back online in a safe and secure manner.”
“Recognizing the impact these closures have had on our customers and employees across Western Canada, it remains our priority to continue working around the clock to have all the stores fully operational,” the chain's chief operating officer, Clint Mahlman, said in a statement.
London Drugs' statement said phone lines have been taken down temporarily “as a necessary part of (the) internal investigation,” but will be restored as soon as they can. It said pharmacy staff will be on-site in all stores to help with “urgent pharmacy needs.”
The retailer is advising pharmacy customers to visit stores in person, during business hours, “for immediate support.”
Coincidentally, Gray said he has been involved in organizing an event in Toronto to talk to retail executives about the strategic implications of cybercrime, in addition to the risks of losses from shoplifting and theft of cargo that were already there.
“And it's not a matter of did London Drugs do anything bad or were they ill-prepared,” Gray said. “For every retailer, it's a matter of when not if they're going to contend with something.”
Blakes, in its 2023 study of Canadian cybersecurity trends, found that “all industries remain susceptible to a cybersecurity incident,” with attackers who are increasingly aware of how valuable data is to the organizations they target.
According to the Blakes' study, attackers are also aware of legal obligations that can be triggered when an organization's data has been accessed or downloaded.
Last October, the B.C.-headquartered lab services firm LifeLabs reached a $9.8 million settlement in relation to a 2019 ransomware cyberattack that saw the information of up to 15 million customers compromised. The settlement involved up to 8.9 million of those.
Blakes, in its 2023 study, said about 70 per cent of the incidents it reviewed included its own clients, third parties and the 860 Canadian public companies that made cybersecurity-related disclosures. The study found attackers accessed company data in 77 per cent of cases and two-thirds of victim companies paid a ransom in the attacks.
Fortinet, in its 2023 findings, said 50 per cent of its detections of malware came through the distribution of Microsoft Office files such as Excel, Word and PowerPoint.
Indigo, in 2023, didn't pay a ransom and didn't release a tally of all the incident's costs, but it happened in a quarter when the retail operations lost $50 million, according to filings. The company did report it spent $5.2 million alone responding to the ransomware attack.
For every retailer, it's a matter of when not if they're going to contend with something.