Cyber Incident Victim: Empire Company Limited
Date:
Nov 2022
Location:
Canada
Summary
A Canadian retail conglomerate experienced a ransomware attack by the Black Basta group, disrupting IT systems across its grocery and pharmacy networks. The incident caused intermittent service delays, including prescription fulfillment issues, though stores remained operational with point-of-sale systems unaffected due to network segmentation. Personal information was compromised, triggering mandatory breach notifications to provincial privacy regulators. Attackers deployed ransomware payloads following initial network compromise, with ransom demands exceeding $2 million in related cases. Black Basta, linked to prior Qbot infections and potentially connected to Conti or FIN7 threat actors, operated as a financially motivated group leveraging encryption and data exfiltration tactics.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On or around November 5, 2022, Canadian grocery and pharmacy retailer Sobeys, a subsidiary of Empire Company Limited, experienced widespread IT system disruptions affecting operations across its national network of 1,500 stores under banners including Safeway, IGA, Foodland, FreshCo, Thrifty Foods, and Lawtons Drugs. The incident began manifesting over the weekend of November 5-6, with employees reporting locked computer systems while point-of-sale terminals remained operational on separate networks. Empire confirmed technical difficulties in a November 7 press release, acknowledging intermittent service delays across grocery locations and prescription fulfillment challenges in pharmacies. Despite these disruptions, all stores remained open without significant customer-facing operational collapse, with the company emphasizing continuity of care for pharmacy patients and ongoing efforts to restore normal operations.
Subsequent investigation revealed the outage stemmed from a Black Basta ransomware attack, with internal ransom notes and encrypted systems observed by employees and confirmed through forensic analysis. Attackers deployed payloads during the late Friday/early Saturday timeframe preceding the operational disruptions, though Empire did not initially publicly attribute the incident to cybercrime. Canadian provincial privacy regulators in Quebec and Alberta received breach notifications from the company, indicating unauthorized access to personal information as required under confidentiality incident reporting protocols. Black Basta, first observed in April 2022, had established a pattern of high-impact attacks with ransom demands exceeding $2 million in confirmed cases, leveraging initial access vectors including Qbot malware infections. The group demonstrated technical sophistication through rapid network propagation and coordination with established cybercrime ecosystems, with researchers noting potential but unverified connections to Conti ransomware operations and FIN7 threat actors based on tactical overlaps. Operational impacts persisted beyond initial containment efforts, reflecting the scale of compromise across a geographically dispersed retail infrastructure supporting 134,000 employees.