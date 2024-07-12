Michael Joel-Hansen

Saskatoon StarPhoenix

A major Western Canadian company continues to be affected by an apparent cyberattack, though it says customer data has not been compromised.

On June 27, Saskatoon-based Federated Co-operatives Ltd. (FCL) said it was experiencing what it called a cybersecurity “incident” affecting a range of its operations, including its fuel cardlock system, which supplies fuel to various corporate clients during all hours. That system is now fully back online after service was disrupted for several days.

Specific details about what happened have not been revealed, but FCL said in a statement posted on its social media channels that it did not believe customer data had been compromised by the attack.

As of Wednesday morning, FCL’s website remained offline, along with the websites of various member cooperatives.

Natalia Stakhanova, a professor of computer science at the University of Saskatchewan who holds the Canada Research Chair on Security and Privacy, said from the outside looking in, it’s likely that the company is dealing with some sort of ransomware attack. She said these kinds of incidents have been on the rise lately.

“We’ve been seeing quite a few in the past year, and actually, the numbers have been sort of staggering across Canada and the world,” she said.

A ransomware attack is when hackers find a vulnerability in an organization’s system, then steal valuable information and demand a ransom payment in exchange for what they have stolen. This information can range from communications between high-level managers to customer data.

“It’s actually old-fashioned extortion,” Stakhanova said.

Other food industry companies have also been hit by cybersecurity attacks. On July 2, Agropur Dairy Cooperative said it was the victim of an attack that affected part of its shared online directory, though it did not affect its transaction systems.

Empire Co. Ltd., which owns the Sobeys chain of grocery stores and others, said a cybersecurity attack in November 2022 cost it $25 million. That attack shuttered pharmacy services and affected the company’s self-checkout stalls.

About one in three mid-sized Canadian organizations were hit by ransomware attacks in 2023, with an average ransom payment of more than $1.1 million, according to a survey by Palo Alto Networks Inc. Of those that were affected, 58 per cent said it took more than a month to recover, though 24 per cent said it took longer than four months.

Stakhanova said changes have been observed in the groups carrying out the attacks as the number of cyberattacks has increased. She said hackers who engage in ransomware attacks have started to become more specialized and there are now groups that target certain types of organizations.

Not much is known about the people who comprise these groups, she said.

“We don’t know who they are.”

Since making its first public comments about the cyberattack, FCL said it has been able to get its cardlock gas stations back online, but there are empty shelves at member grocery stores, with signs telling people the lack of supply is due to IT issues.

Stakhanova said these shortages are likely a result of the company having to shut down its system due to the ransomware attack in order to determine how severe it may be.

“You sort of have to follow up and see what happened and how much data they have,” she said.

Stakhanova said hackers can gain access to a company’s system through several avenues, including being the first to discover a vulnerability. It can also be the result of policies not being followed inside an organization. She said it’s unlikely that many specific details of the incident will be made public.

“I doubt the company is going to come forward and tell us exactly what happened.”

Stakhanova said companies that experience ransomware attacks generally hire private companies that can offer them support, including an investigation of the specific incident.

She said legislation in Canada is limited regarding mandatory public disclosure, but the Office of the Privacy Commissioner may need to be informed in certain cases, depending on the organization and the data that has been compromised.

Stakhanova said it’s difficult to put a specific number on the economic impact of such attacks, considering all the areas that come into play, including financial losses as well as reputational damage. In some cases, companies find it’s in their best interests to pay the ransom demand, she added.

“The numbers are very significant.”

