Cyber Analysis Group - CyberAGroup - OSINT Darkweb Investigations  - Insider Threat - Crypto - Online threat & exposure - SOCMINT - Canadian

‹ Back

CyberAGroup assesses that a ransom was likely paid in the Loblaw breach, primarily because the threat actors voluntarily removed their post on the morning of the deadline. In typical data ransom scenarios, attackers don’t simply disappear when a deadline passes; they usually escalate by doubling their demands, even when bluffing, or by leaking more data to maintain leverage. Having worked on similar cases, we have found that hackers generally only back down once they’ve been compensated.

 

Given that they probably paid a ransom, the incident is certainly more than a "low-level data breach." It is also being reported that Loblaw has engaged outside cybersecurity firms to conduct a forensic audit and determine the full extent of the intrusion. At the time of this post, Loblaw is sticking to its guns; its original notification from March 10 remains and has not been updated.

 

Just because Loblaw paid a ransom doesn't mean your personal information is safe, especially in this case. Trusting in the "honor" and good faith of cybercriminals to actually delete data is a gamble at best. With respect to "branded" ransom groups like PLAY, SHINYHUNTERS, or COINBASE CARTEL, a victim’s only hope is that these groups won't dump, resell, or re-ransom the data in order to protect their reputations so that future victims will pay up.

 

In this incident, involving a single username created specifically for this ransom (not publicly identified with any of the known groups), there is no reputational damage if the attackers turn around and sells the data to other bad actors or simply dumps it on the dark web in the future. Payment doesn't equal real protection. It may only prevent Loblaw from dealing with immediate consequences, with the company hoping that when your data does eventually surface, they won't be blamed.

 

So, what now? We should expect to know exactly what personal data is out there and could resurface. Unfortunately, we don't know of a case where a company provided its customers with the real full details, even when they know exactly what was leaked. The sad reality is that companies will often tell customers it was a "low-level" leak and hope everyone forgets about it. While those companies go back to business as usual, the data lives on to be exploited by the burgeoning industry of fraudsters, extortionists, and data brokers.