London Drugs employee data leaked on dark web after cybersecurity breach

More than three weeks after a cybersecurity breach that forced London Drugs to temporarily close its stores, the company acknowledged that sensitive employee data have been leaked.

Russian malware group LockBit posted hundreds of files on the dark web on Thursday, after a deadline it set for the Vancouver-based retailer to pay a ransom had passed. That included files that appeared to contain financial and personal information about the company’s employees such as sexual harassment complaints, immigration applications, relationship disclosures and termination letters, The Globe and Mail has verified.

“London Drugs has been named by cybercriminals as a victim of exfiltration of files from its corporate head office, and we are aware that some of these exfiltrated files have now been released,” said a company statement provided by spokesperson Jessica Harcombe Fleming on Thursday.

The Globe analyzed the information about London Drugs’ employees available to be downloaded on the dark web, a corner of the internet most often used for illicit purposes.

In dozens of folders, LockBit advertised at least 500 files for employees’ medical data, electronic signatures, payroll information, cease-and-desist applications, emergency contacts, behavioural complaints, performance assessments and resignation letters. By way of example, just one of those folders, titled “Traumatic Incidents,” contained information about multiple stores that experienced incidents, with employee testimonials detailing the events.

The company had previously said that it was not willing or able to pay the ransom that LockBit had demanded.

The cyberattack against London Drugs occurred on April 28. The retailer responded by closing all of its 79 stores in British Columbia, Alberta, Saskatchewan and Manitoba while it worked to investigate and bring its systems back online.

Initially, the company provided statements saying it had “no reason to believe that customer or employee data has been impacted.”

But last Saturday, London Drugs acknowledged that employee information had been compromised. Earlier this week, the company also said that a ransom had been demanded by criminals threatening to release the data – a common tactic when hackers are able to breach a company’s systems.

“We acknowledge that some of these files may contain some employee information – this is deeply distressing and London Drugs is taking all available steps to mitigate any impacts from these criminal acts, including notifying all current employees whose personal information could be potentially impacted and providing them with complimentary credit monitoring services and identity theft protection,” Thursday’s statement said.

The company reiterated previous statements that there is “no indication” information related to its customers and pharmacy patients has been compromised. London Drugs is reviewing the files that were taken in the attack, according to the statement, including those that have been released. Once the review is complete, the company said it would contact employees directly to tell them what personal information, if any, was involved.

LockBit is a notorious ransomware group that operates via a software-as-a-service model, meaning anyone can license the group’s hacking technology with a flat rate or subscription. In turn, the affiliates licensing the ransomware can launch their own attacks for a fee or partner with LockBit to share a portion of the ransom.

Earlier this month, Britain, the U.S. and Australia identified and sanctioned one of the group’s leaders, Russian national Dmitry Khoroshev. Since its inception, LockBit has targeted thousands of victims around the world, according to the U.S. Department of Justice. Those include individuals, businesses, government agencies, nonprofit organizations and schools. A U.S. indictment alleges LockBit’s cybercrime operations have collected at least US$500-million in ransom payments.

A growing rank of companies around the world have been targeted by ransomware that holds their sensitive data hostage. In Canada, the country’s cyberintelligence agency noted last year that ransomware was responsible for the highest share of all attacks, with LockBit being responsible for around one-third of such breaches for the last two years.

Cybercrime is costing companies significant financial losses. There were at least 74,073 cybercrimes reported to police in 2022, more than double the year before, according to Statistics Canada.

Many Canadian retailers have been targeted recently, including Indigo Books & Music Inc., Sobeys parent company Empire Co. Ltd. and the Liquor Control Board of Ontario. In Indigo’s case, sensitive employee data were compromised, and the Liquor Control Board of Ontario disclosed last year that data breaches had targeted customers’ personal information on at least two separate occasions.

The scale of the London Drugs leak is not unusual, said Brett Callow, a B.C.-based cyber threat analyst with anti-malware and anti-virus software firm Emsisoft.

“Ransomware is a very, very big business,” Mr. Callow said. “There are numerous, numerous companies that have been compromised, that have had data stolen, and that data has ended up online.”