Cyber Incident Victim: Sobeys
Date:
Nov 2022
Location:
Canada
Summary
A Canadian grocery and pharmacy retailer experienced a ransomware attack disrupting IT systems across its national network of stores, causing intermittent service delays and technical difficulties in prescription fulfillment while maintaining store operations with point-of-sale systems unaffected due to network segmentation. The Black Basta ransomware group, linked to prior Qbot infections and potential ties to FIN7 cybercrime activities, encrypted systems and likely accessed personal information, prompting notifications to provincial privacy regulators; ransom demands observed in related incidents exceeded $2 million.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Sobeys, a major Canadian grocery and pharmacy retailer operating under banners including Safeway, IGA, and Lawtons Drugs, experienced a significant cybersecurity incident beginning late Friday, November 4, or early Saturday, November 5, 2022. The attack disrupted IT systems across the company’s national network of 1,500 stores, impacting operations during the weekend and into the following week. Parent company Empire addressed the issue in a November 7 press release, confirming technical difficulties while emphasizing stores remained open with limited service interruptions. Specific disruptions included intermittent functionality of in-store services and delays in prescription fulfillment at pharmacies, though point-of-sale systems operated normally due to their separation from affected networks. Employees reported widespread computer lockouts, with on-site devices displaying ransom notes. Sobeys’ public communications focused on maintaining customer access to essential services while working to resolve the technical problems, though the company did not initially disclose the incident as a cyberattack.
The operational disruptions stemmed from a Black Basta ransomware attack, as evidenced by ransom notes and negotiation chats observed by cybersecurity analysts. Attackers encrypted systems on Sobeys’ network, with the intrusion timeline aligning with employee reports of systems becoming inaccessible over the November 5-6 weekend. Black Basta, a ransomware operation first documented in April 2022, was known for demanding multimillion-dollar ransoms, with at least one confirmed instance of a $2 million demand during this period. The group’s infrastructure showed potential links to prior malware campaigns, including Qbot (QuakBot) infections used for initial network access, though direct connections to Conti ransomware or FIN7 hacking group remained unconfirmed. Quebec and Alberta privacy regulators received breach notifications from Sobeys, indicating unauthorized access to personal information. Empire’s response prioritized restoring pharmacy operations and minimizing customer impact while investigating the scope of data exposure. No public statements addressed ransom payment or data recovery methods as of the latest available reports.