Owner of Sobeys, Safeway stores tight-lipped on IT problems impacting pharmacies

Two major Canadian food companies continue to keep mum about information technology problems that have plagued their operations for daysand as the silence drags on, some experts say a ransomware attack could be behind the issues.

Empire Company,which owns 1,500 stores across Canada, including Sobeys, Lawtons, IGA, Safeway, Foodland, Needs and other grocery outlets, said Monday an "information technology systems issue" wascausing some of its pharmacies to experience difficulty fulfilling prescriptions. Signs posted at some stores also said the gift card and Scene points systems were down.

The company has not released any further information about the issues affectingthe chain, and did not respond to questions posed by CBC News on Tuesday.

Meanwhile,Maple Leaf Foods says it's continuing to grapple with the effects of a cybersecurity incident that began having impacts on its operations over the weekend.

The company says it's working with cybersecurity experts to resolve the issue and investigate the root cause of the incident.

"Our team has been working tirelessly in creating workarounds for affected systems and processes, and all of our sites ran yesterday," a statement from the company said Tuesday morning.

"However, the outage is continuing to create some operational and service disruptions that vary by business unit, plant and site."

The company has not explained the exact nature of the cybersecurity incident, or detailed how it has affected operations.

Silence may be telling

Ritesh Kotak, a cybersecurity adviser and tech analyst, told the CBC's Information Morning Nova Scotiaon Tuesday he suspects a breach has taken place at both companies.

"Sometimes it's not the information they give us, it's what they don't give us. And when you use such vague language such as an 'IT incident'and then Maple Leaf Foods comes out and says no, it's a cybersecurity incident and we have hired recovery experts, makes me think that it's probably a third-party system that is used by grocery chains that had some sort of vulnerability in it that was exploited by hackers and hit with ransomware."

Kotak said sometimes it doesn't take much to put an entire system at risk.

"I would say the most dangerous thing you're probably going to do today is open email. Sometimes it's literally as simple as clicking on a link, downloading something, and before you know it, your system is infected. But then it has a ripple effect where it literally goes andjumps from computer to computer, server to server, thus locking down and infecting entire infrastructures."

If ransomware malicious software that locks down a system's data until ransom is paid is indeed the issue facing Maple Leaf or Empire, Kotak said he believes companies should resist paying the ransom because there's no guarantee the hackers will relinquish control of the system, they may demand even more payments, andthemoney is often used to fund organized crime or terrorist activities.

"This money, it doesn't go to somebody in their basement. It's organized, it's sophisticated, there's entire networks and it goes on to fund nefarious activities."

'Nobody wants to admit that'

Most companies are reluctant to admit they've been hacked, saysCarmi Levy, anindependent technology analyst based in London, Ont.

"If you admit that you were hit by a ransomware attack, then you admit that you didn't invest enough in cybersecurity and you didn't take your clients' and stakeholders' data seriously enough.And nobody wants to admit that it's like the modern day equivalent ofthe Scarlet Letter."

Robert Hudema with the Ted Rogers School of Management at Toronto Metropolitan University, agrees.

"This is totally embarrassing for a company, saying Iwas held hostage and I had to pay a fine," Hudema said. "Alot of companies arereluctant to spend money on things that are equivalent to fire extinguishers or alarms or things like that to prevent bad things from happening,and as a consequence, bad things happen."

But Levy said he believes it's a good thing when companies talk about cyberattacks because it normalizes the issue.

"It's a matter of when, not if that every company that we deal with will probably be affected by some sort of cybersecurity incident. So let's not write off the companies that are targeted. Let's recognize that this is a regular fact of life in the modern digital age and we could be victimized just as easily as anyone else."

Lack of transparency

Cybersecurity expert David Shipley of Beauceron Security said he has a lot of empathy for the IT teams and senior executives who have to deal with cybersecurity problems.

"This is probably the worst week of their lives," he told Information Morning Fredericton.

He said companies tend to clam up because they are facing pressure from their insurance companies, lawyers and regulators and concerns about share prices may also be hanging over their heads.

Shipley said there is also a tendency to "victim-blame" companies that are targetedby well-financedcybercriminals.

"The reality is, if it is aransomware attack,these groups are run like international businesses and they'redamned good at what they do and it's almost impossible to protect any organization 100 per centof the time."

Shipleypraised Maple Leaf for being transparent about its cybersecurity issue, and said companies such as Empire, which are publicly traded, may have to disclose any financial losses stemming from its IT issue in its quarterly or annual statements.

But he saidthere should be more disclosure and accountability from regulators, similar to the airline industry which must reports on incidents that affect safety and security.

"The reality is there are not a single law on the books that says that Canadians deserve to know what happens with this," he said.

"Butwe depend on food delivery even more than we depend on the airline industry and it impacts Canadians every single day. But we have zeroaccountability with that."