Kit and Ace CEO David Lui closely followed news about the recent cyberattack against London Drugs — an ordeal that forced the large B.C.-based retailer to close all 79 stores for a week in late April and early May before opening locations in tranches.
B.C. Solicitor General Mike Farnworth then made headlines on May 9, when he confirmed what he called a "sophisticated attempt to breach protected B.C. government information systems."
As a retailer, Lui told BIV he feared for his own business.
“It’s always top of mind to protect our customers’ data,” Lui said. “We are constantly on alert because we handle personal data through our e-commerce platform.”
Lui said that his information technology (IT) team is on heightened alert to make sure the company is protected, and that his entire management team pays attention to cybersecurity risks.
His company uses Shopify Inc. (TSX:SHOP) to house much of its e-commerce data because he said that company is “pretty good from a security standpoint.”
The April 28 attack on London Drugs likely cost the company at least tens of millions of dollars in costs and revenue losses. London Drugs and its Louie-family owners are well known for not providing revenue or financial data. The company’s website notes that the general-merchandise retailer employs more than 8,000 workers.
The hackers cost London Drugs revenue during the period it was closed, during which time the company would still have been paying employees and other hard costs. Additional costs included hiring third-party experts to help review what the company described as “billions of lines of data and code.”
Pharmacy staff handled urgent patient needs but sent customers to competitors to refill prescriptions because London Drugs’ computer system was not able to verify the existence of prescriptions.
Some of those customers may have discovered that a competitor is just as convenient, potentially causing London Drugs an incalculable amount of lost future sales.
“They have handled it well,” retail analyst and DIG360 owner David Ian Gray told BIV.
“It’s a criminal case. My guess is that it could be a ransom attack and they are not paying, which is why there were delays.”
He said he believes that police likely told London Drugs executives to avoid speaking to media because they might say something that would affect the actions of those behind the cyberattack.
London Drugs is known for strong customer service and that is what will give it a “credit in the bank” in customers’ minds, Gray said.
“I’m not worried about customers thinking ill of the brand, and if anything, you’re going to find that people really rally to support them.”
How retailers can prepare for cyberattacks
Gray said retailers, such as Lui, are wise to have their entire management teams involved in preventing cyberattacks, and to not leave that responsibility entirely to an IT team.
“They need to be collaborators all on the same page,” Gray said of management teams.
“If there’s a new tool, like an augmented-reality app that a company is looking to deploy, [the head of marketing should] be comfortable identifying early on that there could be some vulnerabilities.”
CEOs, Gray said, should also ensure chief technology officers or chief information security officers feel supported.
There is often a lot of turnover within IT teams, he added, and what can help add stability is a management team ensuring that an IT department is respected and taken seriously.
Management teams should also have playbooks for a range of scenarios, including floods, earthquakes and cyberattacks, Gray said.
Detailed plans, with phone numbers outlining the right people to contact, save valuable time in the event of a crisis, he added.
Companies often spend a lot of time training staff to recognize clues that an email is fraudulent and potentially has malicious links.
Cyberattacks can stem from a careless employee clicking on a virus-laden email link, but that is not how most cyberattacks start, according to The State of Ransomware 2024 survey released by Sophos April 30.
Almost all organizations hit by ransomware attacks were able to identify how hackers gained access to company data, the report noted.
Exploited vulnerabilities were the most common cause, and were responsible for 36 per cent of attacks reviewed in the survey.
Other leading causes included compromised credentials (29 per cent), malicious emails (18 per cent), phishing (13 per cent), brute-force attacks (three per cent) and downloads (one per cent.)
“When we say ‘exploited vulnerabilities,’ 90 per cent or more of the time we mean that something that was on the internet to provide remote access to the business was unpatched,” said Sophos’ Vancouver-based director and global field chief technology officer Chester Wisniewski.
“Usually that’s going to be a firewall, or a virtual private network (VPN), or a VPN server, or some sort of remote-access tool, which since the pandemic has become more common.”
He said that often, patches or security upgrades are available for six months to a year but before IT staff upgrade a company’s remote-access server.
“They’re not fixes that came out yesterday morning and then two hours later you are compromised,” he told BIV. “They are often fixes that have been out for months and just haven’t been applied.”
Hackers tend to want to hold companies for ransom, he added, and rarely drill down into the compromised data to try to find specific customers who could be blackmailed.
That should be some relief to London Drugs’ pharmacy customers.
“They’re not going to screw around with you or try to extort you for $500 because you take Viagra,” he said. “They’re thinking, ‘I don’t have time for that. I’ve got another $2 million victim to hack.’”
One possibility is that cybercriminals could sell data to others, who could then tailor their malicious spam emails with personalized information.
It’s more likely that cybercriminals post the information publicly if a retailer does not agree to pay a ransom, Wisniewski said.
If they threaten to publicly reveal data unless a ransom is paid, and then do not follow through, their “credibility” as blackmailers would be shot, he said.
“The result is nobody wants to buy the data,” he said. “All of our data has been leaked so many times, no criminal is going to pay for stolen data because there’s so much stolen data out there. They don’t need to pay for it. It’s already available.”