Calgary

'Unauthorized party' obtained Petro-Points members' contact information in IT breach, company says

An unauthorized party obtained Petro-Points members’ basic contact information in a cybersecurity incident that happened roughly two weeks ago, the company said on Twitter Thursday.

Customers told to watch out for unusual emails and messages

The Petro-Canada logo is pictured featuring a white half maple leaf set against a red background.
(CBC News/CBC Archives)

An unauthorized party obtained Petro-Points members' basic contact information in a cybersecurity incident that happened roughly two weeks ago, the company said Thursday. 

In an email to customers, Petro-Canada said it believes the information was limited to customers' names and the information they "may have provided" since joining the program, specifically their mailing and email addresses, phone numbers and dates of birth.

It's now warning customers to watch out for unusual emails and messages and to "confirm that any request to link, download, call someone or provide personal information is legitimate."

"We regret this incident has happened and we appreciate your patience and understanding as we work to resolve the situation," the company said. 

The incident happened on or around June 21 when the "unauthorized party" accessed the company's IT network, prompting Petro-Canada to disable its Petro-Points website and app, the company said. 

Suncor, Petro-Canada's Calgary-based parent company, first confirmed it had experienced a cybersecurity incident in a statement issued June 25. 

"It's interesting that it's taken them this length of time to figure out that some customer contact data was taken," said Geoffrey Cann, a former Deloitte partner and trainer who helps the energy industry deal with digital change. 

"My personal view is it's taken a very long time to come around to this, and 10 days has already lapsed where people may have been contacted." 

In a statement Thursday, Suncor said the incident has not affected the safety or reliability of its field operations. The company said it is notifying Petro-Points members and privacy regulators about the incident and will update "affected parties" if it discovers additional information was accessed in the breach. 

The company says it's still working to resolve the situation, and customer Alan Tambosso confirmed he still couldn't access his Petro-Points account Thursday. While he's concerned by the incident, Tambosso said it isn't enough to make him boycott the company. 

"Unfortunately, attacks like this seem to be becoming a fact of life, and if we stopped using all the vendors that got attacked, eventually I think we'd have nowhere to buy gas," said Tambosso, who lives in Calgary. 

Cybercrime a growing threat

High-profile cybersecurity incidents have become a growing concern across public and private sectors, with incidents at the bookseller Indigo and the grocery company Empire Co. costing those companies millions in the last year.

The Canadian Centre for Cyber Security has said cybercrime is a particular risk for the oil and gas sector, and that ransomware is "almost certainly" the primary threat to Canadians' reliable supply of oil and gas.

Petro-Canada says customers' points balances are safe and that it will provide a credit for points earned during the outage. 

The company did not immediately respond to CBC's request for an interview on the subject.

Ian Paterson, the CEO of cybersecurity firm Plurilock, says if customers used their Petro-Points password for other accounts they should reset it. 

"My suggestion would be [to] take this opportunity to get out of that bad habit and to try and use a different different password everywhere," he said. 

ABOUT THE AUTHOR

Paula Duhatschek

Reporter/Editor

Born and raised in Calgary, Paula Duhatschek is a CBC Calgary reporter with a focus on business. She previously ran a CBC pop-up bureau in Canmore, Alta., and worked for CBC News in Toronto, Kitchener and in London, Ont. You can reach her at paula.duhatschek@cbc.ca.