Cyber Incident Victim: Loblaws
Date:
Jul 2017
Location:
Canada
Summary
Loblaws experienced a second online security breach affecting a limited number of user accounts across its websites, including grocery chains and affiliated platforms. Unauthorized activity compromised account security, prompting the company to advise password resets but without initiating a full password reset like in a prior incident targeting its loyalty program. The earlier breach involved stolen points linked to weak or third-party-exposed credentials, though specific data impacted in the latest event was not detailed. Affected customers were notified directly, with the incident underscoring recurring challenges in safeguarding customer accounts against fraudulent access.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On July 19, 2017, Loblaw Companies Limited notified customers via email that a security breach had impacted a limited number of user accounts across several of its websites, including Loblaws.ca, Joefresh.com, Beautyboutique.ca, and other affiliated grocery chain platforms. The company characterized the incident as involving unauthorized online activity but did not disclose specific technical details regarding the intrusion method, duration, or exact number of compromised accounts. Unlike its response to a prior February 2017 breach targeting PC Plus loyalty program accounts—where Loblaw proactively reset all subscriber passwords—the company opted not to implement mandatory password resets for this incident. Instead, it advised affected users to voluntarily change their passwords as a precautionary measure. The notification email did not specify whether personal data beyond account credentials was accessed, nor did it identify potential threat actors or motives.
This marked the second known security incident affecting Loblaw’s digital systems within five months. The February 2017 breach had exclusively targeted PC Plus accounts, with attackers stealing loyalty points from members. At that time, Loblaw attributed the compromise to credentials exposed through third-party websites or weak passwords reused by customers, though no evidence indicated a direct breach of Loblaw’s internal systems. The July incident expanded the scope beyond the PC Plus program to include primary retail domains, though the company maintained that only a "small number" of accounts were impacted. Public reactions included customer complaints about stolen loyalty points, exemplified by a social media post referencing the theft of accumulated rewards. Loblaw did not release additional technical findings or confirm whether the two breaches were related, stating only that it was investigating the July event. No further disclosures regarding remediation steps beyond password reset recommendations were detailed in the available communications.