Skip to main content

Sobeys admits to data breach in fall 2022, alerts customers


It was a cyber-security incident that made headlines across the country late last year. Although the company involved waited until now to confirm it.

The Maritime-based Empire Co. – parent company of Sobeys – acknowledges customers and employees past and present are receiving letters saying their personal information may have been compromised.

Bill Zebedee received his letter in the mailbox late last week from Medical Health Care Services Inc. (MHCSI) -- the company that provides group benefit plans and works with pharmacies, including Sobeys and Lawtons.

Zebedee said when he first read the letter he was confused.

“I was very surprised because I never heard of the company. I contacted them to confirm it was real,” he said.

The letters informed recipients that an unnamed third party gained access to Sobeys servers on Nov. 1, 2022.

Experts say more letters may be sent out.

“This is one particular sub-company within the overall Empire Co. group of companies who may be affected, so we may see different kinds of these letters arriving,” said cyber security expert David Shipley.

The company was heavily criticized for its lengthy silence on the issue for weeks. Business professor Ed McHugh said the letters come as no surprise.

“This breach was large when it happened because they couldn’t accept gift cards at Sobeys for a while and Lawtons [also] had some issues, so we knew the breach was significant and Sobeys had been very quiet about this matter," adds McHugh.

In an email to CTV News, Sobeys said, “With the help of external experts, we have investigated how an unauthorized third party gained access to some of our servers and systems. The process to identify what data has been impacted has been extremely complex, and we’ve now reached a point where we can notify those who were potentially impacted.”

The retail giant also said, “We have seen no evidence that personal data was accessed or removed from our servers; however, out of an abundance of caution, we have sent notifications to those who could have been potentially impacted and in compliance with our regulatory obligations. IT security is and has always been a priority for us. Trust and transparency matter deeply and we regret that this event occurred.”

While the letter shares how the information could potentially be used by hackers, Shipley said clearer communication should have been provided much sooner.

“They should have had a media release in an actual press conference and say we’ve started the process of notifying people, so that way we could have had some understanding of who was going to get what notification so people could actually trust them,” he said.

Sobeys has not been alone in dealing with cyber security issues. In recent years, hackers have targeted various businesses and organizations. McHugh said in this case, it is best to be cautious.

“Be very vigilant in phone calls and emails and if something sounds too good to be true, it probably is,” he said.

As for now, it’s unclear how many letters have been sent out, however, we have learned employees are being offered a one-year subscription to a credit monitoring service.

Letters also urge recipients to keep an eye out for possible phishing attempts and avoiding clicking links or downloading attachments from suspicious emails. Top Stories

Stay Connected