Loblaw Data Breach Exposes Customer Contact Information

What happened

Canadian retail giant Loblaw Companies Limited disclosed a data breach after detecting suspicious activity within a contained portion of its IT network. The company determined that a criminal third party accessed basic customer information, including names, phone numbers, and email addresses. The intrusion was discovered during an investigation into unusual activity on a non-critical system. Loblaw said it secured the affected environment and automatically logged customers out of their accounts as a precaution, requiring them to sign in again to access digital services. The company stated that passwords, health information, and credit card data were not compromised, and its PC Financial subsidiary was not impacted by the breach. 

Who is affected

Customers whose information was stored in the affected Loblaw systems may have had contact details such as names, phone numbers, and email addresses exposed during the incident. 

Why CISOs should care

The breach highlights how attackers can access customer data even through limited intrusions into non-critical systems, underscoring the importance of monitoring and securing all segments of enterprise networks. 

3 practical actions

1. Review customer account security measures. Ensure systems that store contact or profile information have appropriate access controls and monitoring. 
2. Investigate suspicious activity on non-critical systems. Even limited systems can expose sensitive data if compromised. 
3. Force session resets when necessary. Logging users out of accounts can help limit unauthorized access following a breach. 

For more coverage of major security incidents affecting organizations worldwide, explore our reporting on Data Breaches.