A woman waits outside of a London Drugs location in Vancouver on April 29. The retailer has temporarily closed all of its stores in Western Canada as it grapples with a 'cybersecurity incident.'ETHAN CAIRNS/The Canadian Press
Vancouver-based London Drugs has closed all its stores after a weekend cyberattack – the latest Canadian retailer to see its operations disrupted.
The company operates 79 stores, most of them in British Columbia and Alberta, as well as in Saskatchewan and Manitoba. All are closed “until further notice,” spokesperson Jessica Harcombe Fleming wrote in a statement Monday.
London Drugs “was the victim of a cybersecurity incident” on Sunday, according to the statement, and took the step of shutting down its locations “out of an abundance of caution.” The company’s e-commerce site is also unable to fulfill orders for the time being.
However, pharmacists are prepared to assist “any customers with urgent pharmacy needs,” the statement added, advising people to visit their local store if that is the case. (Pharmacists are on-site even though stores are temporarily closed.)
Cyberattacks are a growing concern for businesses across Canada and around the world. Other retailers have lost tens of millions of dollars in sales and costs related to such incidents, including Indigo Books & Music Inc. – which saw its systems knocked offline and sensitive employee data compromised in a hack last March – and Sobeys parent Empire Co. Ltd., which was hit by a breach in November, 2022. As of last month, the grocer was still working with its insurance providers to file claims related to the incident, citing the “complexity” of cyber insurance for the time lag.
“These cyberattacks are a nasty piece of business. I wouldn’t wish them on my worst enemy,” Empire chief executive officer Michael Medline said on a conference call with analysts last year.
Data security is also a concern. Sensitive employee data were compromised in the Indigo hack, and the Liquor Control Board of Ontario disclosed last year that it had experienced data breaches targeting customers’ personal information on two separate occasions.
Hackers who breach a company’s system will frequently demand a ransom to restore access or to return sensitive data. London Drugs spokespeople did not respond to a question about whether a ransom demand was made, but the statement noted that, currently, “we have no reason to believe that customer or employee data has been impacted.”
The retailer has brought in third-party cybersecurity experts to help contain the incident and conduct a forensic investigation. The company’s spokespeople did not respond to a question about whether law enforcement had also been called in to investigate.
“London Drugs is such a careful company – if it can happen to them, it can happen to anybody,” said David Ian Gray, a Vancouver-based consultant to the retail industry. Mr. Gray said he has seen the pace of cyberattacks increase in the past two years, adding that he knows of a number of other retailers that have experienced cybersecurity incidents over that period and never disclosed it publicly.
“This is the most urgent and important area in retail right now,” he said.
Susan Krashinsky Robertson