Loblaw reported a breach exposing names, phone numbers and email addresses; no financial or health data was compromised; customers were logged out and advised to change passwords; no threat actor claimed responsibility.
Loblaw Companies Limited (Loblaw), the largest food and pharmacy
Retail
er in
Canada
, announced that hackers breached a portion of its IT network and accessed basic customer information. The
Retail
er has a nationwide network of 2,500 stores (franchise supermarkets, pharmacies, banking kiosks, and apparel shops) and plans to expand with 70 new ones this year as part of a five-year plan to invest $10 billion by 2030. The company employs 220,000 people and has an annual revenue of $45 billion. Its best-known commercial banners and brands are Loblaws, Real Canadian Superstore, No Frills, Maxi, President’s Choice, PC Optimum, and Joe Fresh. Earlier this week, the company informed customers that it had detected suspicious activity on its network that led to discovering an intrusion. “After identifying suspicious activity on a contained, non-critical part of its IT network, the Company has determined that a criminal third-party accessed some basic customer information such as names, phone numbers, and email addresses,” Loblaw said . The exposed data constitutes personal identifiable information (PII) and could be used in phishing attacks and fraudulent activities. Loblaw customers should remain vigilant for suspicious communications from unknown contacts. The company noted that its investigation so far has not found evidence that financial information, such as credit card details, health information, or account passwords, was compromised. However, out of an abundance of caution, Loblaw says it has automatically logged out all customers from their accounts. Account holders who need to access the company’s digital services will have to log in again. It is advisable that customers also change their passwords. Loblaw’s investigation indicates that PC Financial, its financial services brand, hasn’t been impacted by this incident.
At the time of writing, BleepingComputer could not find a threat actor claiming the attack publicly or any Loblaw data being advertised on underground forums.