Companies take different approaches in response to recent cyberattacks

Letters sent to some Sobeys customers and employees about a cyberattack nearly four months ago highlight the different approaches being taken by companies on how and when to share information about recent data breaches.

Letters sent to some Sobeys customers and employees about a cyberattack nearly four months ago highlight the different approaches being taken by companies on how and when to share information about recent data breaches.

In a written statement, Sobeys says there’s no evidence of any personal information being taken from the Nov. 1, 2022 breach, and that letters to some customers and employees were being sent “out of an abundance of caution.” The company re-sent the same written statement when asked how many letters had been delivered and if more could be sent.

Empire Company Ltd. has been reluctant to answer pointed questions about the breach and its breadth, which prevented prescriptions from being filled at Sobeys and Lawtons locations for four days. Initially, the company would only call the incident an “IT systems issue” in public statements.

A version of one of the Feb. 13 letters obtained by CTV was received by an employee who last worked for an Empire Company Ltd. business more than a decade ago. The letter urged the recipient to be vigilant for potential phishing attempts and unsolicited communications.

David Shipley, the CEO of Beauceron Security Inc. based in Fredericton, says the letters are a positive development following a long-delay of information from Sobeys.

“I can’t really understand the communications approach on this one,” says Shipley. “The communications approach from the get-go on this one has probably been one of the weaker elements of the response.”

“There’s a lot of really good lessons for others to learn from this in terms of the importance of a very good communications plan, along with all of the other technical recovery plans.”