London Drugs is among a rarified clutch of British Columbia’s retail jewels, arguably the most distinguished of the bunch because of its nearly 80-year presence.
Its original function as a corner-store pharmacy in 1945 has over the decades broadened and positioned it as a crucial community leader across Western Canada. And as we all know, it does many more things than fill prescriptions to serve: as a price competitor on household goods and health and beauty items, and a provider of electronics and photographic services, among others.
It is also a generous supporter and sponsor across an array of vital but underfunded needs on diabetes support, mental health, environmental recycling and sustainability, food banks, veterans support, toy drives, student bursaries and many significant causes through its foundation.
It ought not to surprise any of us that hackers would view LD as an optimal target for ransomware. The chain’s 79 stores sit atop substantial and granular data on millions of Canadians because it is the go-to place for many of our routine and one-off needs.
But the chain’s response to the cybersecurity breach by LockBit, the world’s most prominent cybercriminal group, ought to be a case study for how businesses contend with their almost-inevitable vulnerabilities in this age of global technological disruption and malice.
On April 28, we woke up to the stunning news that the chain’s stores had suddenly shuttered. ߣ emerged of a cyberattack on its technology. On the surface this seemed excessively cautious, but it proved to be a sage move.
London Drugs closed in order to properly gauge the threat to its customer and employee data and staunch any spread of it. The chain was a little insular about the menace, but it was clear that it had its patrons’ security most in mind. And it was also clear it had prepared a plan. That was Lesson No. 1.
It improvised so about half of its chain could provide pharmacy services to ensure existing prescriptions wouldn’t be interrupted – likely a motivating factor for the hackers and one of their perceived points of leverage in their cyberattack. It did the same gradually with its insurance services, with the Canada Post outlets and with its optical services.
LD wisely recognized that no matter what was happening to its infrastructure, it had crucial covenants with the community about its well-being that it could not afford to breach as it explored how to contend with the crisis. That was Lesson No. 2.
The chain stayed with these curtailed services until a full reopening May 7, by which time with the help of third-party experts and police it had a fuller (but not necessarily complete) handle on the breach’s extent.
The hack was not inconsequential – some employee data poached from its corporate head office seems the best guess at this point – but it’s comforting to know that it could have been worse but wasn’t. The customer and patient databases weren’t infiltrated, even if the system breach has caused damage that will take time to fully understand.
London Drugs had by this point turned its attention to its workers, the clearest victims of the attack. Regardless of the extent of the breach, larger or smaller, it has provided employees with 24 months of credit monitoring and identity-theft protection. My guess is that its general approach with this incident suggests that if more is needed, more will be done to maintain employee trust. That is Lesson No. 3.
But LD’s most profound response was to the $25-million ransom request: Nope.
It acknowledged that in the time ahead there could be problematic data on the dark web, but it said it was “unable and unwilling” to capitulate to the demands.
Not that social media provides conclusive societal evidence, but the X.com, Facebook and LinkedIn thrust was supportive.
“Good for London Drugs. Never give in to these bullies,” said one, who had done so at one point, only to be hacked and ransomed again. “More transparency from London Drugs than from our own governments when they are hacked,” said another. “Nice to see going the distance to protect the employees – well done,” said another.
On Thursday, the data was released on the dark web. London Drugs called the move “distressing,” but insisted it hadn’t paid ransom. Its attention now shifts to alerting, and working to mitigate the impact, with employees whose data has been posted. The attackers made good on their threat; LD made good on its pledge to stand up to it.
Given the conscientiousness of the corporate response to date, I doubt it will stop until it is satisfied it has done all it could without giving in. Lesson No. 4.
Kirk LaPointe is a Glacier Media columnist with an extensive background in journalism.