London Drugs’ cyberattack may have compromised employee information

“Certain corporate files may have been compromised,” London Drugs reports after it experienced a cyberattack.

Three weeks ago, the Canadian retail pharmacy chain announced it was closing stores across Western Canada starting Sunday “until further notice” due to an “operational issue.” Later, the company said it was the victim of a cybersecurity incident and closed stores
out of an abundance of caution.”

An updated statement over the weekend added that while the primary employee-specific databases do not appear to be compromised, an ongoing forensic investigation found evidence that indicates certain corporate files may have been compromised, “some of which contain employee personal information.”

London Drugs was unable to provide specifics on the extent of employee personal information that is potentially impacted, as it is reviewing the impacted data.

However, “out of an abundance of caution,” London Drugs sais it “proactively” notified all of its employees.

Staff were also given 24 months of complimentary credit monitoring and identity theft protection services, “regardless of whether any of their data is ultimately found to be compromised or not.”

“We are also updating relevant privacy commissioners of these developments and continue to cooperate with their inquiries regarding this incident,” London Drugs added.

After becoming aware of the cyberattack, the company said, “We immediately deployed countermeasures to secure our network and data from further malicious acts and engaged third-party cybersecurity experts to assist with containment, remediation, restoration, and to conduct a forensic investigation to determine the cause and extent of the incident.”

“We have also notified law enforcement and proactively notified privacy commissioners,” it added.

London Drugs has said that there is no indication that patient or customer databases have been compromised so far.

The company added, “Should this change as the investigation continues, we will notify affected individuals in accordance with privacy laws.”

In the meantime, its review of the impacted data has begun.

“But due to the file structures and extent of the impact, which rendered many files unreadable, we anticipate that it will take time to complete,” London Drugs explained. “Once we have completed our review, we will contact any affected employees directly to inform them of what personal information of theirs was compromised, if any.”

London Drugs has been gradually re-opening its core services in some stores.

Source