It seems like cybersecurity experts, such as the LRS IT Solutions team, are always yammering on and on about securing your network and ensuring there are no vulnerabilities that cybercriminals can exploit.
Many of us hear the constant warnings and often shrug. After all, how bad can a cyberattack be? It’s 2023 and we’re all taking precautions, right?
How bad it can be was recently discovered by Suncor Energy, an integrated energy company headquartered in Canada. Suncor is the parent company of Petro-Canada, which operates 1,500 gas stations throughout the nation and is Canada’s second-largest chain of gas stations.
As with gas stations in the US, Petro-Canada allows customers to use debit and credit cards at the pump and to earn loyalty “Petro-Points”.
Until the day that Petro-Canada customers discovered that they couldn’t use their cards and had to pay cash for all purchases. As CPO Magazine described it in a story dated July 4, “Motorists who have pulled up to one of Canada’s Petro-Canada gas stations in the last few days have been greeted by “cash only” signs, as a cyber attack on parent company Suncor Energy has disrupted the company’s payment and loyalty reward systems.”
Suncor had issued a news release on June 25 announcing the cybersecurity “incident.” The key sentence in that first release was:
“At this time, we are not aware of any evidence that customer, supplier or employee data has been compromised or misused as a result of this situation.”
At that time, Suncor had enlisted the services of a third party to help investigate the hack, which it determined had occurred June 21. The company disclosed no further details.
One security expert, Stephen Gates, Principal Security SME of Horizon3.ai, explained how a cyber attack could shut down card readers on gas pumps.
“Most occurrences of ransomware lock up workstations and data stores but rarely target what most would consider to be IoT. But on the other hand, many gas pumps run commonly used operation systems (like Windows CE) which could make them a considerable target to ransom since an outage could cause untold consumer pain.”
As Suncor kept quiet about its investigation, the CBC found out the company was taking numerous steps internally. In a report dated July 6, the network reported that Suncor was swapping out employee laptop and desktop computers. The CBC said:
“An internal communication dated July 3, viewed by CBC News, says the company will replace desktop and laptop computers in waves to ensure the devices are safe to use, starting with ‘a small number of employees and contractors aligned with business criticality.’"
According to the CBC, Suncor was also telling employees not to access social media on company devices.
Later that day, Suncor issued a statement saying, in part, “We have determined that our Petro-Points™ program has been impacted. The unauthorized party obtained members’ basic contact information. We are notifying Petro-Points members and the appropriate privacy regulators.”
The company stressed that its field operations were unaffected by the cyberattack.
The cost of that aspect of the cyberattack could well cost the company millions, not to mention the hit to its reputation. One insurance expert noted that customers will be thinking twice before inserting a debit or credit card into the slot on a Petro-Canada gas pump for quite some time.
More information will be coming out about this cyberattack in the coming weeks and months. We may even learn that it was launched by Russian hackers looking to disrupt operations in an attempt to weaken the country’s support for Ukraine.
For now, the obvious lesson is that you need to pay attention to the yammerings of cybersecurity experts and make sure all of your business network is secure, including the endpoints you might not think about. You really don’t want to find out for yourself just how bad a cyberattack can be.
The Security team at LRS IT Solutions can help you analyze your security posture, so contact us for a consultation.
About the Author
Barry House is a Senior Writer/Editor in the LRS Corporate Communications department.