Sobeys cyberattack projected to cost $25 million after insurance

Sobeys cyberattack projected to cost $25 million after insurance

Supermarket chain Sobeys and its parent Empire Company have unveiled new details on the cyberattack it sustained in November.

The cyberattack disabled some in-store functions such as self-checkout machines, gift card use and the redemption of loyalty points for a week. The incident also prevented customers from filling out prescriptions with Lawtons Drugs, also owned by Empire, for four days.

Empire revealed in a financial results conference call this week that the cybersecurity event is expected to cost $25 million after insurance recoveries. However, it has declined to reveal the total cost of the disruption.

“We’re not going to provide the gross amount,” said Empire and Sobeys chief financial officer Matt Reindel.

“We are estimating a net impact of $25 million to net earnings. This estimate includes certain business losses, such as shrink and additional labour, and then direct costs such as IT professional expenses and legal expenses.”

Empire and Sobeys president and CEO Michael Medline also said that the company acted immediately after the “intrusion” was detected.

“We immediately began to isolate the source and shut down certain systems to prevent further spread and to protect our operations and our data,” Medline explained during the call.

The Canadian Press reported that it is currently unclear if any personal information was stolen during the breach, or if Sobeys had paid a ransom.

According to data from IBM, Canada ranks third in the world for average data breach costs. The average cost of a data breach in Canada was US$5.4 million (CA$7.3 million) in 2021 – a 20% increase from 2020, IBM found.