Canadian supermarket chain Empire Co. may have to take a charge of C$25 million to its finances for costs not covered by cyber insurance from the cyber attack it suffered last month.
The Nova Scotia company, which owns the Sobeys, IGA, FreshCo, Farm Boy and other brands, made the statement Thursday in a news release accompanying its latest quarterly financial results. It had net earnings of over C$189 million in the quarter on sales of C$7.6 billion.
Empire continues to be mum about what kind of “cyber incident” it suffered, although several media outlets, including Bleeping Computer, say it was ransomware.
Over a month later, the company is still systematically bringing information and administrative systems back online in a controlled, phased approach, the statement says.
“Empire has been able to operate its retail network with little disruption and no disruption to the supply chain,” it adds. “This cybersecurity event and the precautionary response caused some temporary problems. For example, pharmacy services were shut down for four days while some in-store services, such as self-checkouts, gift cards and redemption of Scene+ points were impacted for approximately one week. Other than this, customers would have noticed very few changes to their normal shopping experience.”
Upon discovery of the incident on Nov. 4, Empire activated its incident response and business continuity plans, the statement said, including the retention of outside experts. It isolated the source of the attack and implemented measures to prevent its further spread.
That included shutting certain IT systems “out of an abundance of caution.” During restoration efforts, the company established certain workaround processes to ensure continuity of supply, costing and retail pricing.
“The company takes the protection of personal information as critically important,” the statement also says. “The company continues to investigate this matter and, if a conclusion is reached that applicable data has been removed from the Company’s systems, the company will take all required steps with privacy regulators and impacted individuals.”
“This cybersecurity event has reinforced the importance of the investments already made in the cybersecurity area, as well as upcoming investments in the IT systems and people,” it adds. “Continuous enhancement of the company’s IT infrastructure will strengthen its defense against future such incidents.”