Canadian food retail giant hit by ransomware
A wake-up call for Canada’s agri-food sector
In a press release published Monday, November 7th 2022, Empire Co. revealed that while its grocery stores were still operational, some services were impacted by a company-wide IT issue.
Empire Co. owns 1,500 stores across Canada, including Sobeys, Lawtons, IGA, Safeway, Foodland, Needs and other grocery outlets. “The Company’s grocery stores remain open to serve customers and are not experiencing significant disruptions at this time. However, some in-store services are functioning intermittently or with a delay,” the retailer revealed. “In addition, certain of the Company’s pharmacies are experiencing technical difficulties in fulfilling prescriptions. The Company however remains committed to the continuity of care of all its pharmacy patients.” Empire also added that it’s working on resolving the issues affecting its IT systems to reduce store disruption.
According to employee reports, in affected stores all the computers were locked out and employees were told not to attempt to log in. Employees from across the country said some locations have run short of items because orders cannot be placed as usual, while at others, food that has gone bad has piled up because it couldn’t be removed from the inventory system. For a week, their retail pharmacies were unable to fill new prescriptions and customers were also unable to redeem loyalty points or use gift cards. Staff were concerned they wouldn’t get paid because the payroll system was down. On the first day of the outage, some self-checkout machines weren’t working, causing huge lines and lots of frustrated customers.
Empire Co. has only referred to the incident as “IT system issues,” and has yet to confirm it is was due to a cyberattack.
While Empire is yet to disclose any information linking the outage to a cyberattack, on Thursday November 10th 2022, two provincial privacy watchdogs said they had received data breach reports from Sobeys. Both Quebec’s access to information commission and Alberta’s privacy commission have been notified by the grocer about a “confidentiality incident.” Quebec’s access to information commission indicates that confidentiality incidents occur when there is unauthorized access, use or loss of personal information, or any other breach of the protection of this information.
Sources: CBC article, CBC article, Global News Article, Empire Co. Statement
The experts weigh in:
Sylvain Charlebois, Director of Dalhousie University’s Agri-Food Analytics Lab
“If it gets worse, maybe at some point people will realize how significant a ransomware hitting the food industry can be.” says Sylvain Charlebois, the director of Dalhousie University’s Agri-Food Analytics Lab. “This is the No. 2 grocer in the country dealing with cyber terrorism. That’s a big deal.” He said the hack is worrisome from a privacy perspective because the company manages personal data through credit and debit cards, loyalty programs, and pharmacy prescriptions. The disruption is also significant from a food-security perspective. The food retail industry is a high-volume, low-margin sector, so a significant disruption from a ransomware attack could bring an entire company down, Charlebois said. “Cybersecurity is a huge vulnerability for our supply chains for sure, especially when it comes to food. You’re always a ransomware away from seeing food access becoming an issue in Canada.”
Ritesh Kotak, Tech Entrepreneur and Cybersecurity Adviser
Ritesh Kotak, a cybersecurity adviser and tech analyst, told CBC that sometimes it doesn’t take much to put an entire system at risk. “I would say the most dangerous thing you’re probably going to do today is open email.… Sometimes it’s literally as simple as clicking on a link, downloading something, and before you know it, your system is infected. But then it has a ripple effect where it literally goes and jumps from computer to computer, server to server, thus locking down and infecting entire infrastructures.”
If ransomware is indeed the issue facing Empire, Kotak said he advises companies not to pay the ransom. There is no guarantee that the hackers will relinquish control of the system even if the ransom is paid and instead they may demand additional payments. Kotak expressed that the ransom money may be used to fund organized crime or terrorist activities.
Carmi Levy, Independent Technology Analyst
“Nobody wants to admit that” says Carmi Levy. “Most companies are reluctant to admit they’ve been hacked. If you admit that you were hit by a ransomware attack, then you admit that you didn’t invest enough in cybersecurity and you didn’t take your clients’ and stakeholders’ data seriously enough. And nobody wants to admit that — it’s like the modern day equivalent of the Scarlet Letter.” Levy says he believes talking about cyber attacks is a good thing because it normalizes the issue. However, companies tend to keep quiet because they could be facing pressure from their insurance companies, lawyers, and regulators. In addition, they likely have fears about share prices hanging over their heads.
Robert Hudema, Ted Rogers School of Management at Toronto Metropolitan University
Hudema Agrees saying “This is totally embarrassing for a company, saying I was held hostage and I had to pay a fine. A lot of companies are reluctant to spend money on things that are equivalent to fire extinguishers or alarms or things like that to prevent bad things from happening, and as a consequence, bad things happen.”
“It’s a matter of when, not if that every company that we deal with will probably be affected by some sort of cybersecurity incident. So let’s not write off the companies that are targeted. Let’s recognize that this is a regular fact of life in the modern digital age and we could be victimized just as easily as anyone else.”
What is Ransomeware?
Ransomware is malware that encrypts its target’s systems. The hackers then demand a ransom to unlock the files. In some cases, the hack also gains access to the target’s data, and the ransom will also guarantee it won’t be made public.
We’ve heard this story before..
This is not the only confidentiality incident to recently happen to a Canadian agri-food company.
Maple Leaf Foods Inc. in 2022
Over the weekend of November 4th 2022, Maple Leaf Foods Inc. was also targeted by a cybersecurity attack that successfully impacted their operations early into the week. Currently, Maple Leaf Foods says it’s “continuing to grapple with the effects of a cybersecurity incident that began having impacts on its operations over the weekend.” The company says it’s working with cybersecurity experts to resolve the issue and investigate the root cause of the incident. “Our team has been working tirelessly in creating workarounds for affected systems and processes, and all of our sites ran yesterday,” a statement from the company said the morning of Tuesday November 8th, 2022. “However, the outage is continuing to create some operational and service disruptions that vary by business unit, plant and site.” The company has not explained the exact nature of the cybersecurity incident, or detailed how it has affected operations.
“Upon learning of the incident, Maple Leaf Foods took immediate action and engaged cybersecurity and recovery experts,” the company said in a statement. “Its team of information systems professionals and third-party experts are working diligently with all available resources to investigate the outage and resolve the situation. The company is executing its business continuity plans as it works to restore the impacted systems; however, it expects that full resolution of the outage will take time and result in some operational and service disruptions.”
JBS Foods in 2021
An even larger cybersecurity attack was launched on meat supplier JBS and Alberta-based JBS Canada in 2021 that led to the company paying a ransom of US$11 million in Bitcoin (about $13.3 million CAD) . JBS is the world’s largest meat packer and the attack caused its operations to shut down for several days and stopped livestock slaughter at its plants in several U.S. states, including the company’s facility near Brooks, Alberta which employs over 2,800 people. “On Sunday, May 30th 2021, JBS USA determined that it was the target of an organized cybersecurity attack, affecting some of the servers supporting its North American and Australian IT systems,” the company said in a statement. “Resolution of the incident will take time, which may delay certain transactions with customers and suppliers.”
“This was a very difficult decision to make for our company and for me personally,’” said Andre Nogueira, the CEO of JBS USA. JBS said the vast majority of its facilities were operational at the time it made the payment and the company was able to restore most of its systems from its own backups, but they decided to pay the ransom in order to avoid any unforeseen issues and ensure no data was exfiltrated. The attack targeted servers supporting JBS’s operations in North America and Australia.
“Hackers are going after bigger and more high-profile targets because they know they can be successful,” says Ekram Ahmed, a spokesperson for cybersecurity company Check Point Software Technologies. “When there are headlines out there that the [JBS] actually paid [$11 million] in ransom, the ransomware business attracts new entrants. We can expect things to get worse, and I firmly believe ransomware is now a full-blown national security threat.”
“Ransomware is big business right now,”
“We’re seeing a staggering 102% overall increase in the number of organizations affected by ransomware this year, compared to the beginning of 2020.” says Ekram Ahmed, a spokesperson for cybersecurity company Check Point Software Technologies.
The average cost of recovering from a ransomware attack more than doubled from 2020 to 2021, according to a recent report from cybersecurity firm Sophos. The Sophos study also discovered that only 8% of organizations managed to get back all of their data after paying a ransom, with 29% getting back no more than half of their data. Keep in mind that it’s not only the rasome that can hurt a companies wallet, they also have to consider remediation costs, the cost of downtime, lost orders, operational costs, and more. The Sophos study indicates that the average cost of recovering from a ransomware attack is now 10 times the size of the ransom payment, on average.
Ransomware attacks have become increasingly common and signal a troubling trend. Although hackers usually target smaller, more vulnerable business because they are likelier to have poor cybersecurity and pay the ransom to get their systems back online as quickly as possible, cryptocurrencies, such as bitcoin, have made it easier for hackers to receive ransoms and therefore, target bigger operations.
Hackers have become much more organized and sophisticated in their efforts and are targeting bigger fish — or, in the case of JBS, cows.
