Skip to main content
Open this photo in gallery:

Representatives declined to answer a question about whether any customer information was compromised during a cybersecurity incident that knocked out the LCBO’s website and mobile app.Fred Lum/The Globe and Mail

The Liquor Control Board of Ontario says a “cybersecurity incident” was responsible for taking its website and mobile application offline, the latest hack in a series of recent attacks on Canadian organizations.

The provincial Crown corporation first announced the incident on Tuesday night via social media, stating that an investigation was under way. The outage, which continued throughout the day on Wednesday, did not affect operations at its more than 600 liquor stores across Ontario, the LCBO wrote. Representatives declined to answer a question about whether any customer information was compromised.

But the breach highlights growing concerns among businesses and public-sector organizations – as well as mounting costs – related to cybersecurity.

LCBO continues to investigate cybersecurity incident; site and mobile app still down

In 2021, Canadian businesses reported spending a total of $9.7-billion to detect or prevent cybersecurity incidents, which is an increase of roughly $2.8-billion compared with what they spent in 2019, according to a Statistics Canada survey of more than 12,000 companies. Nearly one in five businesses surveyed reported experiencing a cybersecurity incident, and in total those companies reported costs related to those breaches of more than $600-million, a number that had also risen compared with 2019.

Just last month, Toronto’s Hospital for Sick Children was the subject of a ransomware attack, which affected many of the hospital’s network systems for more than two weeks. Last week, the hospital announced it had restored roughly 80 per cent of its priority systems. A ransomware group called LockBit apologized for the attack and offered a free decryptor for SickKids to unlock the data; the hospital wrote in the statement that it had not used the decryptor and had not paid any ransom.

In November, retailer Empire Co. Ltd., which owns grocery banners including Sobeys, Safeway, IGA and FreshCo, was also hit by a cybersecurity breach that shut down many of its pharmacy services for four days, and affected other operations for roughly a week, including self-checkout terminals, gift cards, and redemption of loyalty points. CBC, citing unnamed employees, reported that the disruption resulted from a ransomware attack, but the company referred to it only as a “cybersecurity event.” Last month, Empire estimated that the cost of the breach will be roughly $25-million. That estimate relates to costs to the business after insurance coverage that it holds for such events.

“Like a lot of loss-prevention issues, companies don’t like to talk about it, because they don’t want to give any clues to the bad guys,” in terms of their defence strategies, said Michael LeBlanc, a senior adviser for the Retail Council of Canada. Mr. LeBlanc compared dealing with cybersecurity threats to a game of Whac-A-Mole. “You fix one breach and you have to go to work on, what did we learn from that, how can we strengthen that system. It’s non-stop.”

While the issue is not limited to one industry, retailers are often a target for cyber attacks, partly because they process credit card data and other valuable customer information.

“When I ask retailers what keeps them up at night, this is it,” Mr. LeBlanc said.

But Lisa Kearney, chief executive officer of the Women CyberSecurity Society Inc., said in her 15 years as a consultant, she has rarely seen organizations put enough resources toward the prevention of data breaches prior to their occurrences. “Even when there are resources available internally, businesses are not often trained or knowledgeable, or frankly ready, to take action,” she said.

Ms. Kearney believes the reason many organizations go through cybersecurity incidents “over and over again” is because once systems have been recovered after a breach, companies move cybersecurity down on their list of priorities again.

“They get what we could call social amnesia, forgetting how important those security concerns were when they first went through it,” she said. “People, especially those in power or with authority, are getting desensitized because these attacks are happening with so much frequency these days.”

Adastra Corp., which provides analytics and data solutions for global companies, released a report Wednesday that found 77 per cent of 882 business managers surveyed across Canada and the United States believe their organizations are likely to experience a data breach in the next three years.

“At the same time, we also saw that 68 per cent of managers surveyed say their companies have a cybersecurity division and a further 18 per cent report they are in the process of creating one,” said Kuljit Chahal, the practice lead for data security at Adastra.

“The issue isn’t about whether you have a cybersecurity division or not,” said Kimberley St. Pierre, director of strategic accounts at cybersecurity and systems management provider Tanium Inc. “It’s about whether companies are using their systems practically and efficiently.”

“We cannot afford to be surprised any more,” said Charles Finlay, executive director of the Rogers Cybersecure Catalyst at Toronto Metropolitan University, formerly known as Ryerson University. “This is the norm now. Cyber attackers will target the most important parts of our society and our economy and our critical infrastructure. And the impacts of these attacks are going to be increasingly serious.”

Follow related authors and topics

Authors and topics you follow will be added to your personal news feed in Following.

Interact with The Globe