Some Petro-Canada locations are cash only amid 'cybersecurity incident' at parent company Suncor
Company's loyalty program, Petro-Points, is also impacted
Numerous Petro-Canada gas stations are only able to process cash transactions, as parent company Suncor works to fix what it is calling a "cybersecurity incident" over the weekend.
On Sunday, Suncor said it was working with third-party experts to investigate and resolve the issue.
"At this time, we are not aware of any evidence that customer, supplier or employee data has been compromised or misused as a result of this situation," Suncor said on Sunday. "While we work to resolve the incident, some transactions with customers and suppliers may be impacted."
One of those impacts seems to be at Petro-Canada stations, where several locations across the country are unable to process various electronic payments. The company's loyalty program, Petro-Points, is also offline.
"Petro-Canada is a Suncor business and together, we're responding to a cybersecurity incident. While our sites are open, you may experience disruptions to some services," the company said on Twitter. "Some of our sites can only accept cash and our app and Petro-Points login are unavailable. Car washes may also be unavailable at some locations."
CBC News has independently verified that credit payment systems are down at numerous Petro-Canada locations across Canada, but it's not known exactly how widespread the issue is or when it started. Suncor did not reply to multiple requests for comment on Monday.
Petro-Canada customer Alan Tambosso went to fill up at a location in Aldersyde, Alta., just south of Calgary, and saw signs on the pump and inside the store alerting customers that the electronic payment systems were down, he told CBC News in an interview. "The were completely out. They were taking cash only."
Ottawa resident Michael Blackie pays for a service that allows him to get as many car washes as he wants within 90 days for $220. He's been unable to get one since Thursday, when he drove to numerous locations around Ottawa and discovered they were all down.
"It has not been working since Thursday of last week. The online portal does not work and you cannot redeem any of your pre-loaded passes for car washes," he told CBC News. "Every Petro-Canada in Ottawa ... will only take cash — they clearly have a major problem."
Growing cyber threat
The incident comes only days after the Canadian Centre for Cyber Security warned that ransomware attacks — where hackers gain access to a company's internal system and demand payment in exchange for giving it back to them — was the No. 1 cyber threat facing Canada's oil and gas sector.
"Ransomware is almost certainly the primary cyber threat to the reliable supply of oil and gas to Canadians," the centre said.
Last year, Suncor was one of two dozen oil and gas companies that signed the Cyber Resilience Pledge, a vow to beef up cybersecurity, following the hack of the Colonial Pipeline the year prior.
The Colonial Pipeline hack was the largest cyberattack on oil infrastructure in the history of the United States, and forced the company to temporarily halt pipeline operations — which cascaded up and down the eastern seabord by limiting the supply of gasoline.
Ian L. Paterson, CEO of Vancouver-based cybersecurity company Plurilock Security Inc., said the payment problems at Petro-Canada could be "just the tip of the iceberg" of Suncor's breach. He added that as early as Friday, he was also hearing about Suncor employees being unable to log in to their own internal accounts.
"All of these things put together seem to suggest that there could be a sizable cyber incident that's taking place," Paterson said, cautioning that much is still unknown about the current situation.
"I think that this actually could be the Canadian Colonial Pipeline, just in the sense that Suncor is such a large part of the economy."
Canadian retailer Indigo was hit by a ransomware attack in March that rendered it impossible to process sales using anything but cash for several days back in March, and knocked the company's e-commerce platform offline for even longer.
With files from the CBC's Greg Ross and The Canadian Press