Skip to main content

Companies take different approaches in response to recent cyberattacks

Share

Letters sent to some Sobeys customers and employees about a cyberattack nearly four months ago highlight the different approaches being taken by companies on how and when to share information about recent data breaches.

In a written statement, Sobeys says there’s no evidence of any personal information being taken from the Nov. 1, 2022 breach, and that letters to some customers and employees were being sent “out of an abundance of caution.” The company re-sent the same written statement when asked how many letters had been delivered and if more could be sent.

Empire Company Ltd. has been reluctant to answer pointed questions about the breach and its breadth, which prevented prescriptions from being filled at Sobeys and Lawtons locations for four days. Initially, the company would only call the incident an “IT systems issue” in public statements.

A version of one of the Feb. 13 letters obtained by CTV was received by an employee who last worked for an Empire Company Ltd. business more than a decade ago. The letter urged the recipient to be vigilant for potential phishing attempts and unsolicited communications.

David Shipley, the CEO of Beauceron Security Inc. based in Fredericton, says the letters are a positive development following a long-delay of information from Sobeys.

“I can’t really understand the communications approach on this one,” says Shipley. “The communications approach from the get-go on this one has probably been one of the weaker elements of the response.”

“There’s a lot of really good lessons for others to learn from this in terms of the importance of a very good communications plan, along with all of the other technical recovery plans.”

In late January, Running Room confirmed it's website was hit with a data breach and that some passwords and credit card information had been accessed between Nov. 19, 2022 and Jan. 18.

Indigo Books and Gifts said it was forced to remove its website on Feb. 8 after a cybersecurity incident. The company has since launched a temporary website where customers can browse products with no online abilities to buy. Indigo says credit and debit card information wasn’t compromised during its cyberattack.

A "frequently asked questions" page is included on the Indigo and Running Room  websites regarding the separate breaches. There is no such information to be found on the Sobeys website.

Shipley says it’s important for customers and employees to hold companies accountable for data breaches, but not to outright blame them.

“They’re not the bad guys,” says Shipley. “The bad guys or gals who did this are the criminals or others who perpetrated the crime. What’s important for us all to remember is that when we blame victims for these kinds of crimes we create a culture of shame, and then people don’t want to be transparent.”

“The biggest loss of that is that we don’t get the information we need to understand what the real risks were. Nor do other companies get the valuable insights on things they could learn.”

A January 2023 report from IT security company Check Point Software found cyberattacks increased by 20 per cent in 2022 compared to the previous year.
 

CTVNews.ca Top Stories

Stay Connected