From April 28 until May 7, nearly 80 London Drugs stores across British Columbia, Alberta, Saskatchewan and Manitoba had to shut down because of one cyberattack. It is unclear what kind of data was compromised by hackers and what kind of method they used to invade. However, one thing is clear: more protection is not worthless, according to Fabio Assolini, head of Kaspersky’s Global Research & Analysis Team, Latin America.

>>>Read more about cybersecurity by clicking here

The cybersecurity expert points out that something significant happened, but as the company disclosed very few details, it’s difficult to tell precisely what happened.

“Their outage could be caused by many things, such as a ransomware attack, an internal sabotage, or an IT outage. Or even an external attack that compromised databases, as we saw in the past by groups such as LapSUS, doing data exfiltration and destruction. The company didn’t say publicly if the incident resulted from a ransomware attack, where it is expected the customer data would have been stolen, to force the company to pay the ransom.”, told Assolini.

It is not clear what kind of attack was implemented in the London Drugs case. According to Assolini, ransomware groups usually disclose the names of new victims in their blogs. “We didn’t find any recent mention of London Drugs in any blog, despite the fact some new groups aren’t publishing victims’ names anymore. The reasons for not disclosing everything publicly are: 1) to give more time for Law Enforcement Agencies to perform an investigation without interference; 2) to collect enough evidence internally to start an investigation; 3) to find a better and faster way to recover; 4) avoid fees and penalties from Data Law Protection government agencies,” said the of Kaspersky’s Global Research & Analysis Team, Latin America.

News about the cyberattack: employees’ data could be compromised

Until now, it is not clear what kind of cyberattack happened in London Drugs during one week from April 28. During the cyber attack, nearly 80 stores across British Columbia, Alberta, Saskatchewan and Manitoba, in Canada, had to shut down. The retailer informed yesterday that some employee personal data was compromised during the cyberattack.

The information was obtained by Global News. According to this memo, London Drugs will provide 24 months of complimentary credit monitoring and identity theft protection services for London Drugs employees.

Below, you can read parts of this memo:

“We are not yet able to provide any specifics on the nature of employee personal information potentially impacted. This is because there are a large number of unstructured corporate files that are not in consistent format and each must be individually reviewed. Out of an abundance of caution, we have proceeded to proactively notify all current employees and provide 24 months of complimentary credit monitoring and identity theft protection services, regardless of whether any of their data is ultimately found to be compromised or not. We are also updating relevant privacy commissioners of these developments and continue to cooperate with their inquiries regarding this incident,” the memo said.

Lessons

According to Assolini, a typical modern cyberattack is not an isolated incident on one employee’s computer but a complex operation affecting a sizable portion of the infrastructure. Therefore, minimizing the damage to a modern cyberattack requires blocking malware and quickly understanding what happened, how it happened, and where it could happen again. “Having a backup plan and adopting contingencies and business continuity policies is also essential,” said the expert.

When I asked if a few employees lost their credentials in phishing attacks as a possible cause of the cyberattacks, Assolini said it could be a cause. “Initial access brokers usually capture passwords and other critical data, infecting employees’ computers with data stealer malware. After being captured, the credential will be sold on underground forums and bought by ransomware groups, using it to break into the corporate networks,” he said.

Other possibilities

Assolini said that employees’ passwords are leaked in third-party data-exfiltration incidents, which could also lead to a compromise.

Ways to avoid it

Finally, Assolini points out ways to avoid a new cyberattack:

1) internal training to help them identify phishing attacks;
2) add two-factor authentication for corporate mailboxes;
3) use complete endpoint protection with modern detection technologies like EDR and XDR.

Photo: London Drugs/Creative Commons