Petro-Canada says the nearly weeklong problems that customers have experienced with things like payment and loyalty programs at the gas station chain are ongoing, but it is making progress on solving them.
Problems at the company started about a week ago, when on Friday reports suggested that parent company Suncor had been hacked. Over the weekend, Suncor acknowledged it had experienced a “cybersecurity incident” and stressed that while it was confident that no customer or employee data had been stolen, “some transactions with customers and suppliers may be impacted.”
One of the first places where such disruptions were found was at Petro-Canada, where the chain of more than 1,500 locations across the country had problems processing debit and credit payments. Other services such as the loyalty program app Petro-Points and a car wash-related service have also been impacted.
Petro-Canada said on Twitter that it is “making progress on resolving the disruptions customers have been experiencing and will continue to update you as more services come back online.
“We apologize for the inconvenience this has caused, and we thank you for your patience.”
WATCH | Customers confused and concerned by outage:
Customers filling up told CBC News the incident was inconvenient, but also concerning.
Ella Lee-O’Rourke tried to fill up at a station in Toronto this week and wanted to pay with a card, but had to revert to only buying $20 worth because she happened to have a cash bill on her.
“Nobody carries cash around,” she said. “I’m probably not going to come here for a while again, because I could just go somewhere else that can accept my card.”
Ben Abouakr tried to fill up at a Petro-Canada station in Toronto, but couldn’t so he went to a nearby Shell instead.
“I saw the piece of paper on the pumps saying cash only,” he told CBC News. “It must be something — for three days? It’s more than a technical issue.”
Could be ‘massive problem’
Suncor has yet to tie the cybersecurity incident to problems at Petro-Canada, or even say what type of incident it was, but Ian Paterson, the CEO of cybersecurity firm Plurilock, says the incident does bear some of the telltale signs of being a ” ransomware” attack, where nefarious actors seek access to a company’s network and then hold it hostage in exchange for payment.
He cautions, however, that it may not be.
“If a company was taking down systems voluntarily to try to figure out what happened, it would actually look very similar to a ransomware attack,” Paterson said.
Those attacks often happen when hackers think there may be a vulnerability of some sort, so they often happen during down times such as over holidays, or headed into a weekend.
“Seeing something take place on a Thursday or Friday is not surprising,” he said.
Whatever the cause, given how long the outage has already gone on for, he thinks the company has a “massive problem” in its hands.
“If there is an attack this widespread it will be time consuming and expensive,” he said.
Jon Ferguson, general manager of cybersecurity at the Canadian Internet Registration Authority, agrees that the impact of this cybersecurity incident is likely to be a long one for the company
One of the challenges is it’s a large organization, he said.
“If they have to go in and modify critical systems, that can take a very long time to recover, depending on what’s damaged,” Ferguson told The Canadian Press.
“And then there’s the cost of disruption. I have no idea how much gas Petro-Canada didn’t sell because people didn’t have cash.”
There’s also the cost of the damage to the company’s reputation, he said, “which is very hard to measure, but you’re probably going to think twice before you slip your credit card into a Petro-Canada gas machine now.”
Companies hit by cybersecurity incidents
The incident is just the latest cybersecurity breach to make headlines of late. In February, retailer Indigo was hit by a ransomware attack that wiped out credit and debit payments for days and the online store for almost a month.
And in 2021, the American pipeline company Colonial Pipeline was knocked offline after hackers infiltrated the company’s systems. That attack shut the flow of gasoline across the key pipeline that supplies the eastern seaboard, leading to widespread shortages.
Last week, the Canadian Center for Cyber Security warned that ransomware attacks — where hackers gain access to a company’s internal system and demand payment in exchange for giving it back to them — was the No. 1 cyber threat facing Canada’s oil and gas sector.
“Ransomware is almost certainly the primary cyber threat to the reliable supply of oil and gas to Canadians,” the center said.
Last year, Suncor was one of two dozen oil and gas companies that signed the Cyber Resilience Pledge, a vow to beef up cybersecurity, following the hack of the Colonial Pipeline the year prior.