Retailer London Drugs closes stores in Western Canada due to 'cybersecurity incident'

A store closure sign sits outside of the London Drugs Broadway and Vine location in Vancouver on Monday, April. 29, 2024. London Drugs says it has temporarily closed all of its stores in Western Canada as it grapples with a "cybersecurity incident." THE CANADIAN PRESS/Ethan Cairns

VANCOUVER — Confused shoppers milled around the front of a London Drugs store in downtown Vancouver on Monday, some wondering aloud why they couldn't access the store to get prescriptions or buy hair dye.

A metal gate was blocking them from the store at the corner of West Georgia and Granville streets, a security guard occasionally directing perplexed customers to a sign announcing the "temporary store closure."

It wasn't alone — London Drugs shut all of its stores in Western Canada on Sunday as it grappled with a "cybersecurity incident."

In a statement Monday, the retail and pharmacy chain said it learned it was the victim of a cyber incident on Sunday, when it first closed its stores "out of an abundance of caution."

"Upon discovering the incident, London Drugs immediately undertook countermeasures to protect its network and data, including retaining leading third-party cybersecurity experts to assist with containment, remediation and to conduct a forensic investigation," the company said.

"At this time, we have no reason to believe that customer or employee data has been impacted."

The sign at the downtown Vancouver store said it was shut until further notice but pharmacists were standing by for urgent needs. 

It included a number to call for assistance, and the chain said in its statement that pharmacists were still available, but when The Canadian Press rang the automated system Monday morning, the line abruptly disconnected. 

The retailer later issued an update saying its phone lines were temporarily down too, "as a necessary part of its internal investigation." 

Until they were restored, customers in urgent need of medicine should go to their local store in person, it said, and staff would be available to assist them. 

The retailer has offered no timeline for when its stores may reopen.

Canada Post confirmed Monday that offices located inside London Drugs stores are being impacted by the closure, but said customers who have parcels waiting for them can collect them at the stores. 

"Employees will be present to assist them at the store’s front entrance," it said in an email. "If customers must pay any postage fees, they will be required to pay in cash."

London Drugs, a Richmond, B.C.-based business which opened in 1945 with a name meant to be a nod to England's capital, sells everything from pharmaceuticals to groceries and electronics. 

It has more than 80 stores across Alberta, Saskatchewan, Manitoba and B.C.

"We apologize for any inconvenience caused and we want to assure you that this incident is the utmost priority for us at London Drugs," the company said in its statement.

The incident facing London Drugs comes a month after discount chain Giant Tiger Stores Ltd. reported some of its customers' data was compromised in an "incident" linked to a third-party vendor it uses.

Over the last two years, Indigo Books & Music, the LCBO, the Nova Scotia government, the Toronto Public Library and the City of Hamilton in Ontario have also fallen victim to cyber incidents.

The country saw 74,073 police-reported cybercrimes in 2022, up from 71,727 in 2021 and 33,893 in 2018, Statistics Canada data shows.

Experts have long cautioned that cybercrimes tend to be under-reported because of the stigma, embarrassment and repercussions victims often experience.

Cybersecurity expert Jon Ferguson said the London Drugs breach was "obviously significant" enough to shut down the business for multiple days. 

Though the company has not provided details on what happened, he said it was likely "ransomware of some kind."

"A data breach following some type of request for money," he explained. "If you want to play the percentages, that's likely what's going on here in some form."

He noted it could possibly also be lack of ability to process payments, building management or security systems or some other type of data breach. 

"The biggest question and threat that people are trying to evaluate right now is (if there was) personal information loss," he said, noting London Drugs had said they did not believe personal data had been breached.

Ferguson, vice-president of cybersecurity and domain name system at the Canadian Internet Registration Authority, said cybersecurity attacks are a "constant" -- especially in the health-care sector because breaching private information provides bad actors with leverage for personalized and believable phishing attacks. 

"It's very difficult these days to not be doing business with a company that's had some type of of impact because it's so, so prevalent these days," he said.

Ferguson said London Drugs' situation served as a reminder to both companies and individuals to protect themselves against cyberattacks, including updating software on devices and using two-factor authentication.

"Organizations of any size and individuals are susceptible to this type of problem," he said. "We need to focus on getting proactive about things rather than paying the bill when the bad things happen."

This report by The Canadian Press was first published April 29, 2024.

Brieanna Charlebois, The Canadian Press

Return to TownAndCountryToday.com