Loblaw confirms data breach - Canadian retail giant says 'basic customer information' affected

Loblaw has suffered a cyberattack in which crooks stole customers’ basic contact information.

“Loblaw notified customers today that it is investigating a data breach,” it said. “After identifying suspicious activity on a contained, non-critical part of its IT network, the company has determined that a criminal third-party accessed some basic customer information such as names, phone numbers, and email addresses.”

In response to the breach, the company said it “secured its network and customer information,” without elaborating further.

Urging customers to be cautious

Loblaw did say it had logged out all of its users who, to use the services again, will need to log back in. It stressed that passwords, health information, or credit card data, were not touched.

This is likely why it didn’t reset people’s passwords, just logged them out.

Loblaw is Canada’s largest food and pharma retailer, with approximately 2,500 stores, including supermarkets, pharmacies, banking kiosks, and apparel shops, with plans of additional 70 locations this year. The company employs 220,000 people, and has an annual revenue of $45 billion.

While Loblaw described the stolen data as “basic information”, this is more than enough for cybercriminals to launch convincing phishing attacks. By impersonating Loblaw employees, crooks can trick victims into sharing sensitive data, login credentials, and more, escalating what appears to be a “basic” and almost harmless attack.

Therefore, customers are advised to be particularly cautious with incoming messages (email, SMS, social media) from people claiming to work for Loblaw. Phishing emails usually contain a sense of urgency, such as an expiring offer, or an account that is about to be suspended or terminated.

So far, no one claimed responsibility for the attack, and the data has not been found on the dark web yet.

Via BleepingComputer