As Retailers Collect More Data, Cybercrime Hits Retailers Including London Drugs [Expert Comments]

London Drugs stores remain temporarily closed due to a cybersecurity issue.

“On April 28, 2024, London Drugs discovered that it was the victim of a cybersecurity incident. Out of an abundance of caution, all London Drugs stores will remain temporarily closed across Western Canada until further notice while continuing to provide customers with urgent pharmacy care,” said the company.

“London Drugs is currently working with leading third-party cybersecurity experts to bring our operations back online in a safe and secure manner.  Our investigation is currently assessing the extent to which any data has been compromised in the incident. In the event our investigation determines that personal information was impacted, we will notify affected individuals in accordance with privacy laws.”

“Recognizing the impact these closures have had on our customers and employees across Western Canada, it remains our priority to continue working around the clock to have all stores fully operational,” said Clint Mahlman, COO and President, London Drugs, in a statement. “We appreciate everyone’s patience and support during this very difficult time and will provide updates as available.”

London Drugs said its phone lines have been temporarily taken down and will be restored as soon as possible. In the interim, pharmacy staff are on-site at all London Drugs locations to support customers with urgent pharmacy needs. The company is advising customers to visit their local store in-person during regular business hours for immediate support and until the phone lines are back in service. 

Bruce Winder, Retail Analyst and Author, said London Drugs joins the club of Canadian retailers who have fallen victim to a cybersecurity issue.

“The disruption to operations, significant customer friction and impact to cash flow can destroy a retailer or at least severely impact them in the short and even long term. One just needs to use Chapters/indigo as a recent example,” he said.

“Retailers need to band together through the Retail Council to help fight this clear and present danger immediately. The problem is the issue remains a moving target as cyber criminals evolve to evade current countermeasures.”

David Ian Gray, Founder/Strategist with DIG360 Consulting, said in the second half of 2023, while the industry focused on the rise in store theft, he had been hearing of unpublicized cyber incidents in various sectors.

“Following conversations with experts at Thales and ISA Cybersecurity, I came to the conclusion that cyber threat was the most urgent and important issue facing retail leadership. And I’m not talking about CIOs and technology investment. I mean, at the foundational heart of the transforming retail model,” he said

“I think in 2024 most chain retailers are well versed In terms of security software and protocols and how to respond to an incident. I am not a cyber expert. However, my concern is twofold. First, each time I’ve raised it with a CEO or COO, they have directed me to the Chief Technology Officer. My gut says this is a problem. It places far too big a burden on one exec and it suggests the issue is solely about technology and compliance. Who is responsible for the hard, important discussions around how much risk the business should tolerate? How does a more and more complex, digitized business move nimbly to the future and adapt with that risk factored in? How do leaders ensure people inside feel secure and are ready to respond when – not if – an attack occurs? These are questions whose answers are forming and not set.

“But that leads to my second concern: leaders seem terrified to talk about and share experiences around this topic. There is no shame at all in being attacked. These are sophisticated criminals relentlessly testing the gates of all businesses. Retail is especially ripe because of the myriad digital touchpoints from consumer engagement, to the plethora of suppliers and a large, dispersed workforce. Supply chains are becoming more complicated as is the communications with customers. The fear of appearing vulnerable to competitors in sharing should be replaced by the fear of not rallying together. The pandemic showed the power of collective action. This is most important, in my opinion, in the case of ransom attacks.

“The good news? I have seen no evidence that there is significant consumer abandonment of brands who were attacked. Especially those who have a track record of ‘doing the right thing’ and not cutting corners. I think most of us rally around them.We are seeing that big time in the case of London Drugs. We know this is a criminal act. So do vendors and staff.”

London Drugs phones working but stores remain closed after cyberattack https://t.co/GFAnfsro8r pic.twitter.com/1E5EtrdfvQ

— The Vancouver Sun (@VancouverSun) May 2, 2024

Doug Stephens, Founder, Retail Prophet, said we’ve reached a very concerning nexus in retail whereby two things are happening simultaneously.  

“First, retail companies are engaging in a data gold rush, looking to compile as much data about their customers as possible, even streamlining this data into a common stream to avoid silos. However, at the same time, the level of sophistication on the part of hackers  and cyber-extortionists is rapidly increasing, thus putting more data at greater risk. While new enhancements to cyber-security measures via AI are promising in terms of countering these threats, AI may also create new sorts of online security threats we haven’t yet considered or built tools to defend against,” he said.

George Minakakis, who leads advisory firm Inception Retail Group, said data is quickly becoming a corporate asset that must be protected. 

“Data will become an industry that is likely bigger than telecoms and banks.  In the digital age, the evolving landscape of cyber threats continually outpaces defences, relentlessly exposing organizations to new vulnerabilities. As board chair of a for-profit organization, we review cyber security regularly. The key is twofold education and prevention practices and third-party audits, internally and externally, adopting advanced security technologies. All businesses need to be as smart or smarter than the criminals who are using sophisticated AI to break in. And if you keep passing your audits, find someone to take you through an even tougher one,” he said. 

“Corporations must demonstrate a fiduciary duty of care and actively guard customer information. If they don’t, the risk to their brand and business equals the impact of bad products and services and ultimately being outdated. This doesn’t just apply to London Drugs; every organization collecting customer data faces the same challenge as it navigates cyber terrain. Vigilance and adaptability become paramount allies.” 

Michael Kehoe, Broker of Record for Fairfield Commercial Real Estate, said the current cyber-security situation at London Drugs that is inconveniencing customers will impact the firm’s reputation and credibility with consumers in the short term.

“This will be especially pronounced with pharmacy customers. These patrons have expectations of a retail brand for certainty of performance including protection of data and privacy. Depending on severity of data leaks, how the situation is handled by the firm and how long it drags out will determine the severity of the situation,” he said.

“Retail brands with many employees and multiple locations are especially at risk as cyber criminals are always developing new techniques to take advantage. The advancement of AI is making cyber-security more difficult especially for firms with a lack of redundancy as a safeguard.

“London Drugs is a strong brand in Western Canada, and I am sure that pharmacy customers will be prioritized for their prescription needs.There will be hard lessons learned for senior management and provisions put in place to try to stay one step ahead of the hackers.”

Related Retail Insider Articles

• Cyber Attacks Hit Canadian Retailers Hard, Causing Unprecedented Damage [Expert Interview/Report]