Cyber Incident Victim: Suncor Energy
Date:
Jun 2023
Location:
Canada
Summary
A cyberattack on Suncor Energy caused widespread outages impacting its Petro-Canada retail operations. Customers were unable to use the company's app or website, and many gas station locations could only process cash transactions. The incident prompted an investigation with third-party experts, though the company stated it had no evidence of customer, supplier, or employee data being compromised. The outages were reported across multiple major Canadian cities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around June 23, 2023, Canadian oil giant Suncor Energy experienced a significant cybersecurity incident. The incident manifested initially through widespread service disruptions affecting Petro-Canada, a gas station chain owned by Suncor. Customers began reporting problems on Friday, June 23rd, with an inability to log into the Petro-Canada mobile application and its public website. This digital service failure quickly translated into physical operational impacts at gas stations across the country. Employees at various locations confirmed to media outlets that point-of-sale systems were impaired, forcing many stations to accept only cash payments for fuel and other transactions. The inability to process card payments severely hampered normal business operations.
The geographic scope of the outage was substantial, affecting major urban centers including Calgary, Ottawa, and Toronto, as well as several other cities across Canada. The widespread nature of the disruptions indicated a systemic issue rather than an isolated local failure. Customers took to social media to report the problems and share photographs of gas pumps displaying error messages or bearing signs indicating that card payments were unavailable. The public first received official acknowledgment from the company via a post on the Petro-Canada Twitter account on the evening of Saturday, June 24th. This communication confirmed the company was aware of the ongoing outages and was working to address them, though it did not specify a cause at that time.
Suncor Energy released a formal statement on the evening of Sunday, June 25th, attributing the countrywide outages to a cyber security incident. The company confirmed it had experienced a cyber security incident and was taking measures to investigate and resolve the situation. In its public communication, Suncor stated it was working with third-party cybersecurity experts to assist in the investigation and response efforts. The company also noted that it had notified the appropriate authorities about the breach, though it did not specify which agencies were contacted. A key point in the initial statement was the assertion that, at the time, there was no evidence that customer, supplier, or employee data had been compromised or misused as a result of the situation.
The incident had clear and immediate consequences for business transactions. Suncor explicitly warned that while work to resolve the incident continued, some transactions with both customers and suppliers could be impacted. This indicated that the cyberattack affected backend systems integral to supply chain and customer-facing financial operations, extending beyond the public-facing app and website. The company did not respond to specific media inquiries regarding whether the incident was a ransomware attack, leaving the exact nature of the cyber intrusion unconfirmed in public statements. Similarly, the company did not provide a public estimate for when full service would return to normal, creating uncertainty for customers and business partners.
This incident occurred within a broader context of Suncor's public commitments to cybersecurity leadership. Over the preceding year, the company had made several pledges to improve cybersecurity within the oil and gas sector. Suncor had participated in World Economic Forum events and was a signatory to a Cyber Resilience Pledge alongside other industry players. These commitments explicitly referenced the 2021 ransomware attack on Colonial Pipeline, which caused similar widespread fuel supply disruptions and prompted a White House-led initiative to bolster cybersecurity in critical infrastructure. The Suncor incident echoed the Colonial Pipeline attack in its operational impact, demonstrating the ongoing vulnerability of energy sector infrastructure to cyber threats. The event also followed recent cybersecurity concerns in the Canadian energy sector, including a previously revealed incident involving a Canadian pipeline and Russian hackers that was disclosed in leaked U.S. intelligence documents earlier in the year.
The cyberattack on Suncor Energy and its Petro-Canada retail chain underscored the tangible real-world effects that digital incidents can have on critical infrastructure. The inability to process electronic payments disrupted the primary revenue stream for hundreds of gas stations, inconvenienced countless consumers, and highlighted dependencies on interconnected digital systems. The company's response involved a combination of internal measures, engagement with external cybersecurity experts, and coordination with law enforcement or regulatory authorities. The full extent of the attack's impact, including any potential data exfiltration or financial cost to the company, was not disclosed in the immediate aftermath. The incident served as a prominent example of the challenges faced by the energy sector in securing its operational and information technology environments against increasingly disruptive cyber threats.