Cyber Incident Victim: Loblaws
Date:
Feb 2017
Location:
Canada
Summary
A security breach impacted PC Plus rewards accounts, resulting in unauthorized access and theft of customer points. The company attributed the incident to compromised credentials, noting that affected individuals likely reused weak or previously exposed passwords from other platforms such as Yahoo and LinkedIn. Internal monitoring detected unusual activity, prompting an investigation into potential IT vulnerabilities. The breach led to direct financial loss for customers through stolen loyalty points and necessitated password resets. The company advised users to strengthen their authentication credentials while continuing to assess system security.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early February 2017, Loblaw Companies Limited confirmed a security breach affecting its PC Plus rewards program, with unauthorized access to customer accounts resulting in the theft of loyalty points. The company publicly disclosed the incident on February 9 after detecting unusual account activity, though the exact timeline of initial compromises remained unspecified. Kevin Groh, Loblaw's Vice-President of Corporate Affairs and Communication, formally characterized the event as a breach due to the confirmed unauthorized access and theft of points from individual member accounts. Investigation findings indicated that attackers exploited weak or reused username-password combinations that customers had employed across multiple online platforms. This credential-stuffing approach leveraged credentials previously exposed in unrelated third-party breaches, including high-profile incidents at Yahoo (2013) and LinkedIn (2012), which Loblaw referenced in communications to customers.
Loblaw initiated customer notifications about suspicious activity via email in late January 2017, prior to the public disclosure, advising members to update their passwords. Following confirmation of the points theft, the company's IT security team intensified monitoring for anomalous account behavior while investigating potential systemic vulnerabilities in their systems. No evidence suggested Loblaw's own infrastructure suffered a direct compromise; instead, the breach stemmed from compromised customer credentials obtained elsewhere. The company implemented no immediate system-wide shutdowns comparable to Canadian Tire's concurrent website access suspension, which occurred during the same timeframe but involved separate incidents. Loblaw focused on urging customers to create unique, complex passwords while continuing internal investigations into the scope of account compromises and points theft. The public disclosure omitted specific figures regarding the number of affected accounts, financial value of stolen points, or recovery mechanisms for lost rewards.