Connect with us


Should London Drugs give in to ransom demand after cyberattack?



As deadline looms, company says it is unable to pay $25 million ransom.

Article content

As London Drugs faces a $25-million ransom demand from a “group of global cybercriminals,” an Internet security expert says he would have been surprised if no demand was made.

“It’s the obvious next step. I was wondering because we hadn’t heard anything so far,” said Apurva Narayan, a professor in the computer science department at the University of B.C.

He said the ransom demand is likely one of two ways the group hopes to profit from the cyberattack on London Drugs, which forced the company to shutter all of its 79 stores in Western Canada for about a week in early May. The hackers were probably seeking personal information on customers as well.

Advertisement 2

Article content

Narayan said individuals are “very likely” to be impacted by the security breach, depending on what kind of information the hackers were able to obtain.

“They might not see the effects immediately, but in six months, they might notice spam calls or fraudulent activity on credit cards,” he said.

In a statement issued Tuesday when news of the ransom became public, London Drugs said it is “unwilling and unable to pay ransom to these cybercriminals.”

The company said it believes no customer, patient or “primary employee” databases were compromised.

While London Drugs did not name the group responsible for the attack, the Victoria Times Colonist reported that ransomware syndicate LockBit posted a notice on a dark-web site on Tuesday threatening to release stolen data unless it was paid $25 million by Thursday.

The group did not provide details about the data it claimed to have stolen, said the Times Colonist.

Narayan said cybercriminals will usually “release a glimpse” of the data as proof.

“The data could be released even if you pay them,” he said. “It is all in the hands of these people.”

Article content

Advertisement 3

Article content

Nick Nouri, president of North Vancouver-based cybersecurity company Compunet Infotech, said some companies decide to pay a ransom, but each case is different. It often comes down to who the hackers are — if they are known to “stand behind their words” and not release information when paid — and what kind, or how much, information they hold.

“Generally, we don’t want to deal with (hackers) or pay them. But in some cases, there may be more problems if you don’t,” he said.

If a company can negotiate the ransom down to a couple million dollars, it might feel that is the best response, he said.

Narayan said it is typically better for companies to move forward after an attack.

“You can’t change the past, but you need to be proactive about the future,” he said.

In its statement, London Drugs said it is trying to mitigate the impacts of the attack, including notifying its current employees of potential effects. It is also providing 24 months of free credit monitoring and identity-theft protection services to them, “regardless of whether any of their data is ultimately found to be compromised or not.”

Advertisement 4

Article content

“We acknowledge these criminals may leak stolen London Drugs corporate files, some of which may contain employee information on the dark web. This is deeply distressing, and London Drugs is taking all available steps to mitigate any impacts from these criminal acts.”

In a statement, the Canadian Centre for Cyber Security said ransomware is “almost certainly the most disruptive form of cybercrime” and a persistent threat to Canadian organizations. Incidents can be costly and disrupt critical services, as well as the movement of goods.

The level of malicious cyber activity in Canada is “significantly under-reported,” said the statement.

Nouri said for many companies it’s a matter of when, not if, they will become a target. While the London Drugs attack has been well publicized, attacks on other businesses, including law firms and accounting companies, happen frequently, with little public notice.

He said employee education is key.

“You can have the best security software behind you,” he said, “and then someone clicks on a link.”

Recommended from Editorial

Article content

Continue Reading