All London Drugs stores remain closed after ‘cybersecurity incident’

All London Drugs stores remained closed across Western Canada on Tuesday morning, two days after the B.C.-based company announced it was dealing with a “cybersecurity incident.”

A statement issued by the company at 7:20 a.m. PT Tuesday said its stores “will remain temporarily closed … until further notice while continuing to provide customers with urgent pharmacy care.”

“London Drugs is currently working with leading third-party cybersecurity experts to bring our operations back online in a safe and secure manner.”  

The retail and pharmacy chain, which has more than 80 stores across B.C., Alberta, Saskatchewan and Manitoba, said it closed its stores “out of an abundance of caution” while it employed experts to investigate the incident. 

“Our investigation is currently assessing the extent to which any data has been compromised in the incident. In the event our investigation determines that personal information was impacted, we will notify affected individuals in accordance with privacy laws,” the statement said. 

The retailer offered no timeline for when its stores may reopen. 

“Recognizing the impact these closures have had on our customers and employees across Western Canada, it remains our priority to continue working around the clock to have all stores fully operational,” London Drugs COO and president Clint Mahlman said in the statement Tuesday.

“We appreciate everyone’s patience and support during this very difficult time and will provide updates as available.”

A sign posted on a glass door.
London Drugs has provided no timeline for when it will reopen. (Ben Nelms/CBC)

The company said pharmacists were standing by for urgent needs.

The company’s phone lines also remain down, but it said customers can go to their local store in person where staff would be available to assist them.

Canada Post confirmed Monday that offices located inside London Drugs stores are being affected by the closure, but said customers who have parcels waiting for them can collect them at the stores.

If customers have to pay any postage fees, they will have to pay in cash, Canada Post said.

London Drugs, a Richmond, B.C.-based business that opened in 1945, sells everything from pharmaceuticals to groceries and electronics.

The incident facing London Drugs comes a month after discount chain Giant Tiger Stores Ltd. reported some of its customers’ data was compromised in an “incident” linked to a third-party vendor it uses.

Over the past two years, Indigo Books & Music, the Liquor Control Board of Ontario, the Nova Scotia government, the Toronto Public Library and the City of Hamilton in Ontario have also fallen victim to cyber incidents.

The country saw 74,073 police-reported cybercrimes in 2022, up from 33,893 in 2018, Statistics Canada data shows.

Experts have long cautioned that cybercrimes tend to be under-reported because of the stigma, embarrassment and repercussions victims often experience.

A line up of people.
Customers outside a closed London Drugs in Surrey, B.C., on Monday. (Ben Nelms/CBC)

Cybersecurity attacks are a ‘constant’: expert

Cybersecurity expert Jon Ferguson said the London Drugs breach was “obviously significant.”

Though the company has not provided details, he said it was likely ransomware of some kind — “a data breach following some type of request for money.” 

He noted it could possibly also be lack of ability to process payments, building management or security systems or some other type of data breach.

“The biggest question and threat that people are trying to evaluate right now is [if there was] personal information loss,” said Ferguson, vice-president of cybersecurity and domain name system at the Canadian Internet Registration Authority.

He said cybersecurity attacks are a “constant” — especially in the health-care sector because breaching private information provides bad actors with leverage for personalized and believable phishing attacks.

“It’s very difficult these days to not be doing business with a company that’s had some type of of impact because it’s so, so prevalent these days,” he said.

Ferguson said London Drugs’ situation served as a reminder to both companies and individuals to protect themselves by updating software on devices and using two-factor authentication.

“Organizations of any size and individuals are susceptible to this type of problem,” he said. “We need to focus on getting proactive about things rather than paying the bill when the bad things happen.”


Posted in CBC