London Drugs confirms it was victim of ransomware attack
Retailer says it's unwilling to pay ransom after cybercriminals stole files from its corporate head office
Retailer London Drugs confirmed on Tuesday that cybercriminals have demanded a ransom for data that was taken in a cyberattack that caused stores to shut for a week.
The retail and pharmacy chain had to shut down its nearly 80 stores across B.C., Alberta, Saskatchewan and Manitoba for a week after the cyberattack was reported on April 28.
While the retailer had confirmed on Saturday that some employee information was potentially compromised in the breach, it has said neither its primary employee database nor its customer and patient database appear compromised at this point.
In a statement on Tuesday, the chain said it had been the victim of a ransomware attack, and that cybercriminals on the dark web were threatening to leak stolen files from its corporate head office if they were not paid.
London Drugs, which is headquartered in Richmond, B.C., said it was unwilling and unable to pay the ransom to the cybercriminals.
"We acknowledge these criminals may leak stolen London Drugs corporate files, some of which may contain employee information, on the dark web," a spokesperson wrote in a statement.
"This is deeply distressing, and London Drugs is taking all available steps to mitigate any impacts from these criminal acts."
The cyberattack on April 28 prompted the retailer to close its stores for that entire week. It was May 7 before all stores had fully reopened.
"At this stage ... we are not able to provide any specifics on the nature or extent of employee personal information potentially impacted," the spokesperson wrote in the statement. "Our review is underway, but due to the extent of system damage caused by this cyber incident, we expect this review will take some time to perform."
The spokesperson said that, as a precautionary measure, the company has offered all of its employees 24 months of credit monitoring and identity-theft protection services, "regardless of whether any of their data is ultimately found to be compromised or not."
The company also said that it has informed the relevant privacy commissioners of the compromised data, and it is continuing to work with third-party cybersecurity investigators and police to investigate the cyberattack.
Company COO Clint Mahlman had previously referred to "international threat actors" as being behind the attack in an interview with the CBC's Ian Hanomansing on May 8.
Staff continued to be paid during the multi-day closure, Mahlman said. He added that the company went ahead with employee anniversary celebrations, including recognizing its first 50-year staff member.
The retailer opened in 1945 and sells everything from pharmaceuticals to groceries and electronics.
With files from Ian Hanomansing