Major Canadian grocery chain says cyberattack cost $25 million
The report does not clarify the nature of the attack, whether it was ransomware or if it was paid
The parent company of the Sobeys grocery store chain says a cyberattack last month will cost $25 million.
The grocery store operator disclosed the estimate in second quarter results released Thursday by Empire Co.
"Empire estimates, based on available information, that the financial impact on fiscal 2023 annual net earnings will be approximately $25 million, net of insurance recoveries," the company said.
The report does not clarify the nature of the attack, whether it was ransomware or if any ransom was paid.
The company owns 1,500 stores across Canada, including Sobeys, Lawtons, IGA, Safeway, Foodland, FarmBoy, Needs and other grocery outlets. Empire reported it earned $189.9 million in its most recent quarter, up eight per cent from $175.4 million in the same quarter last year.
Employees have told CBC News the cyberattack did involve ransomware and caused turmoil at Empire-owned stores across the country. Staff at in-store pharmacies were unable to access their computers to fill prescriptions for several days following the attack and some outlets ran short of items.
The company is still investigating whether customers' personal data was stolen in the attack.
If it finds data has been removed, it will take steps with privacy regulators and impacted individuals, it said.
"The company takes the protection of personal information as critically important."
Nov. 4 attack
Sobeys was hit with what it now calls a "cyber security event" on Nov. 4.
It was previously described as an "information technology systems issue."
Empire says cyber security experts were immediately hired, the source isolated and measures taken to prevent further spread.
Pharmacy services were shut down for four days.
Self checkouts, gift cards and points were impacted for about a week, the company said.
Empire CEO Michael Medline said the company's initial press release "was as specific as we could make it due to security reasons."
He refused to provide any more details, saying "we will not elucidate further on this subject beyond these prepared remarks in our published disclosure."
Medline told analysts on Thursday "our customers would have noticed very few changes to their usual shopping experience. We have been able to fully serve customers for several weeks now and we are in a very good position to help customers celebrate the holidays."
Empire chief financial officer Matt Reindel said the company will not provide the total cost of the attack. The $25-million figure is after expected insurance payouts.
That includes loss of product and direct costs such as informational technology, professional expenses and legal expenses. Empire said it has cyber insurance but there may be a lag between "the incurrence of costs and confirmation of insurance proceeds."
It says the attack will not have a material impact on its bottom line in 2023.