Loblaw Companies Limited has disclosed that a cyber attack exposed customer contact information after attackers gained access to a limited portion of its internal network.
The Canadian retail giant says the breach appears to be low-level and did not expose passwords, financial data, or health information.
Loblaw Companies Limited is Canada’s largest food and pharmacy retailer and one of the country’s biggest private-sector employers, with more than 220,000 workers nationwide. The company operates a broad portfolio of grocery, pharmacy, and retail brands across Canada, including Loblaws, Real Canadian Superstore, No Frills, Shoppers Drug Mart, and several online grocery services.
In a security notice published earlier this week, Loblaw said it detected suspicious activity within a contained, non-critical segment of its IT infrastructure. Following an internal investigation, the company determined that a threat actor accessed a database containing limited customer data, including names, phone numbers, and email addresses.
Loblaw said its incident response procedures were immediately activated once the suspicious activity was identified. As part of the response, the company secured affected systems and implemented additional protective measures across its network.
Loblaw also automatically logged customers out of its digital platforms as a precaution. Users attempting to access online services, including grocery ordering platforms and account portals, will be required to log back into their accounts.
According to the company’s preliminary findings, the exposed data appears to be limited to contact information, not including sensitive data such as account passwords, health records, or credit card information. The company also clarified that PC Financial, the financial services division that provides banking and credit products to millions of Canadians, was not affected by the incident.
At this stage, the company has not disclosed how many customers may have been affected or whether the attackers exfiltrated data before the breach was contained. The investigation remains ongoing, and Loblaw said the scope and impact of the incident could change as forensic analysis of its IT systems continues.
Although the exposed data is relatively limited, security experts often warn that contact information leaks can still enable follow-up attacks. Customers are advised to remain cautious of unsolicited communications that claim to come from Loblaw, its affiliated brands, or related services.
If you liked this article, be sure to follow us on X/Twitter and also LinkedIn for more exclusive content.
