Skip to content
Join our Newsletter

Stolen London Drugs data posted online in ransomware attack

The files include human resources medical notations, including one of a sexual assault, and financial files.
web1_vka-londondrugs-10773
A London Drugs store in Colwood that was closed after the company was hit by a cyberattack. DARREN STONE, TIMES COLONIST

Ransomware syndicate LockBit released stolen data from London Drugs on Thursday on the heels of a demand for $25 million.

Pages of files posted online are in a folder about 300 gigabytes in size. The files include human resources medical notations, including one of a sexual assault, and financial files.

The files include human resources “harassment” investigations with named parties.

Cybersecurity analyst Brett Callow, based in Shawnigan Lake, likened the data dump to a hostage-taking gone wrong. “This is like kidnappers killing their hostage,” said Callow. “They’re giving up on being able to monetize the attack and are releasing the info as a warning to future victims.”

London Drugs discovered on April 28 it was the victim of a cyberattack by a “sophisticated group of global criminals.”

It closed all 79 of its Western Canada stores until May 7, and hired cybersecurity experts to help it respond.

A threat posted by LockBit on Tuesday said the stolen data would be released unless it was paid $25 million by Thursday. London Drugs said it was “unwilling and unable to pay ransom to these cybercriminals.”

The LockBit notice was removed Wednesday, which Callow said is sometimes a sign of a ransom being paid or negotiated.

London Drugs may have never been willing to pay but it’s possible, if it was negotiating, it was doing so only to stall the release of ­information, said Callow. He estimates about one-third of victims pay some amount of ransom.

The stolen information includes files on payrolls, garnishments, pay stubs, taxes, benefits, sick leaves, suppliers’ names, photos, invoices, meeting minutes, billings, executive calendars, letters, emails and presentations.

London Drugs said it is aware that some files “have now been released.”

“This is deeply distressing and London Drugs is taking all available steps to mitigate any impacts,” it said in a statement.

Affected employees have been provided with free credit ­monitoring and identity-theft protection.

London Drugs said there’s no indication of any compromise of customer databases.

“Once we have completed our review, pursuant to privacy laws, we will contact affected employees directly to inform them of what personal information of theirs was compromised, if any,” said London Drugs.

The B.C. government said a state or state-sponsored attack on its computer systems on April 10, April 29 and May 6 are not connected to recent cyber­attacks on the First Nations Health Authority and London Drugs.

B.C. Premier David Eby said Thursday the three high-profile incidents took place within a short period “but, as best we understand it, are unrelated.”

Eby said threats to people’s information and their financial security are a real and growing worldwide. The province completed a $50.8 million computer-network upgrade in 2022 which in part allowed the province to detect the cyberattacks, he said.

Eby said the province continues to support all of the agencies it deals with “in upping their game to be as ready as possible.”

The ransomware attack against the First Nations Health Authority was discovered May 13 and the authority “immediately deployed countermeasures to block the unauthorized entity’s access and prevent any further unauthorized activity.”

The authority said it uncovered evidence that certain employee information and limited personal information of others was compromised, adding it does not believe the incident has affected clinical information systems it uses.

The stolen information was released on INC Ransom on the dark web on Wednesday.

It includes Canada Life health-insurance billing data, ­procurement contracts, First Nations Health Authority budgets, cheques, information on dental services to remote First Nations communities, as well as records and correspondence from the Northern Health Authority.

First Nations Health Authority employees, first notified of the security breach on May 15, were told “corporate credit card information” and 2023 T4 tax forms may have also been accessed and copied by a third party.

With thousands of cyber­attacks each year, it’s inevitable that clusters of such hacks will occur, Callow said.

Despite talk of mysterious cyber criminals and the dark web, “most ransomware attacks succeed because of fairly simple security failings” and when stolen data is posted on the internet, it’s fairly easy to find, he said.

One of the simplest ways individuals and companies can better protect themselves is by employing multi-factor authentication using, for example, a password combined with a code issued via text or app.

Companies should install security-update patches regularly and have strong-password policies, he said.

“If organizations get all of those basic things right, they will significantly reduce the likelihood that they will become the next victim.”

He said most victims cite being attacked by sophisticated cybercriminals “because that makes them look less incompetent but sometimes it’s because they haven’t applied [multi-factor authentication] and a bunch of teenagers managed to get into their system as a result of that.”

[email protected]

>>> To comment on this article, write a letter to the editor: [email protected]