Nova Scotia

Owner of Sobeys, Safeway stores tight-lipped on IT problems impacting pharmacies

Empire Company, which owns 1,500 grocery stores across Canada, started experiencing problems late last week. Another major company, Maple Leaf Foods, is also experiencing issues and says it's working with cybersecurity experts.

Empire Company owns 1,500 grocery stores across Canada

Sobeys and other stores owned by parent company Empire are dealing with an information technology systems issue that has impacted some operations across the country. (Craig Paisley/CBC)

Two major Canadian food companies continue to keep mum about information technology problems that have plagued their operations for days and as the silence drags on, some experts say a ransomware attack could be behind the issues.

Empire Company, which owns 1,500 stores across Canada, including Sobeys, Lawtons, IGA, Safeway, Foodland, Needs and other grocery outlets, said Monday an "information technology systems issue" was causing some of its pharmacies to experience difficulty fulfilling prescriptions. Signs posted at some stores also said the gift card and Scene points systems were down.

The company has not released any further information about the issues affecting the chain, and did not respond to questions posed by CBC News on Tuesday.

Meanwhile, Maple Leaf Foods says it's continuing to grapple with the effects of a cybersecurity incident that began having impacts on its operations over the weekend.

The company says it's working with cybersecurity experts to resolve the issue and investigate the root cause of the incident.

"Our team has been working tirelessly in creating workarounds for affected systems and processes, and all of our sites ran yesterday," a statement from the company said Tuesday morning.

"However, the outage is continuing to create some operational and service disruptions that vary by business unit, plant and site."

The company has not explained the exact nature of the cybersecurity incident, or detailed how it has affected operations.

Silence may be telling

Ritesh Kotak, a cybersecurity adviser and tech analyst, told the CBC's Information Morning Nova Scotia on Tuesday he suspects a breach has taken place at both companies.

"Sometimes it's not the information they give us, it's what they don't give us. And when you use such vague language such as an 'IT incident' and then Maple Leaf Foods comes out and says no, it's a cybersecurity incident and we have hired recovery experts, makes me think that it's probably a third-party system that is used by grocery chains that had some sort of vulnerability in it that was exploited by hackers and hit with ransomware."

Kotak said sometimes it doesn't take much to put an entire system at risk. 

Cybersecurity expert Ritesh Kotak says he suspects a breach has taken place at both companies. (submitted by Ritesh Kotak)

"I would say the most dangerous thing you're probably going to do today is open email.… Sometimes it's literally as simple as clicking on a link, downloading something, and before you know it, your system is infected. But then it has a ripple effect where it literally goes and jumps from computer to computer, server to server, thus locking down and infecting entire infrastructures."

If ransomware — malicious software that locks down a system's data until ransom is paid — is indeed the issue facing Maple Leaf or Empire, Kotak said he believes companies should resist paying the ransom because there's no guarantee the hackers will relinquish control of the system, they may demand even more payments, and the money is often used to fund organized crime or terrorist activities.

"This money, it doesn't go to somebody in their basement. It's organized, it's sophisticated, there's entire networks and it goes on to fund nefarious activities."

'Nobody wants to admit that'

Most companies are reluctant to admit they've been hacked, says Carmi Levy, an independent technology analyst based in London, Ont.

"If you admit that you were hit by a ransomware attack, then you admit that you didn't invest enough in cybersecurity and you didn't take your clients' and stakeholders' data seriously enough. And nobody wants to admit that — it's like the modern day equivalent of the Scarlet Letter."

Analyst Carmi Levy says companies are often reluctant to talk about cyberattacks. (CBC)

Robert Hudema with the Ted Rogers School of Management at Toronto Metropolitan University, agrees.

"This is totally embarrassing for a company, saying I was held hostage and I had to pay a fine," Hudema said. "A lot of companies are reluctant to spend money on things that are equivalent to fire extinguishers or alarms or things like that to prevent bad things from happening, and as a consequence, bad things happen."

But Levy said he believes it's a good thing when companies talk about cyberattacks because it normalizes the issue.

"It's a matter of when, not if that every company that we deal with will probably be affected by some sort of cybersecurity incident. So let's not write off the companies that are targeted. Let's recognize that this is a regular fact of life in the modern digital age and we could be victimized just as easily as anyone else."

Lack of transparency 

Cybersecurity expert David Shipley of Beauceron Security said he has a lot of empathy for the IT teams and senior executives who have to deal with cybersecurity problems.

"This is probably the worst week of their lives," he told Information Morning Fredericton.

He said companies tend to clam up because they are facing pressure from their insurance companies, lawyers and regulators and concerns about share prices may also be hanging over their heads.

A man with a blue shirt stands in an office.
Beauceron Security's David Shipley says there should be more transparency from regulators in the food industry about cyberattacks. (Jennifer Sweet/CBC)

Shipley said there is also a tendency to "victim-blame" companies that are targeted by well-financed cybercriminals.

"The reality is, if it is a ransomware attack, these groups are run like international businesses and they're damned good at what they do and it's almost impossible to protect any organization 100 per cent of the time."

Shipley praised Maple Leaf for being transparent about its cybersecurity issue, and said companies such as Empire, which are publicly traded, may have to disclose any financial losses stemming from its IT issue in its quarterly or annual statements.

But he said there should be more disclosure and accountability from regulators, similar to the airline industry which must reports on incidents that affect safety and security.

"The reality is there are not a single law on the books that says that Canadians deserve to know what happens with this," he said.

"But we depend on food delivery even more than we depend on the airline industry and it impacts Canadians every single day. But we have zero accountability with that."

ABOUT THE AUTHOR

Frances Willick is a journalist with CBC Nova Scotia. Please contact her with feedback, story ideas or tips at frances.willick@cbc.ca

With files from Information Morning Nova Scotia, Information Morning Fredericton and Meegan Reid

Add some “good” to your morning and evening.

A variety of newsletters you'll love, delivered straight to you.

Sign up now

Comments

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.

Become a CBC Member

Join the conversation  Create account

Already have an account?

now