Canadian Tire admits 5 days after breach customer info may have been ‘accessed’

Click to play video: 'Canadian Tire website breached, customer accounts in question'
Canadian Tire website breached, customer accounts in question
WATCH ABOVE: One of Canada’s largest in-store and online retailers has acknowledged it suffered a security breach forcing it to prevent customers from checking their points and credit card accounts. Sean O’Shea reports – Feb 8, 2017

Five days after it suspended customer login access to its retail website, which allows consumers to track their loyalty accounts, Canadian Tire Corporation admits customer information may have been stolen.

“We believe an unknown third party may have obtained your log-in information, including your email address and password information, from a prominent third-party website breach and used this information to gain access to your account,” an email received by a customer, and shared with Global News, on Friday said.

“Information you entered on your profile, along with basic transactional information relating to your loyalty account, may have been accessed.”

WATCH: As of Friday afternoon, loyal Canadian Tire couldn’t access the company’s website after the company said it prevented access because of unusual activity. Sean O’Shea reports. (Feb. 10)
Click to play video: 'Canadian Tire consumers still shut out of website'
Canadian Tire consumers still shut out of website

The email instructed customers to change their account password.

Story continues below advertisement

“We require you to change your password, which you can do by visiting your account on the Canadian Tire website or by calling Customer Service at 1-800-226-8473. Our recommendations on how to create a secure password are found on our website.”

Canadian Tire communications manager Stephanie Nadalin previously told Global News company staff became aware of “unusual web traffic” on the store’s website,

“We recently noticed unusual traffic on our website and suspended customer sign-in capabilities while we investigate,” said Nadalin.

On Thursday, the company issued a statement claiming Canadian Tire MasterCard accounts are unaffected by the shutdown.

Story continues below advertisement

“There is no credit card information, including credit card transaction history, contained anywhere on the website, which is the only website on which we have suspended customer sign-in capability for registered users,” wrote Susan O’Brien, the company’s vice president of marketing and corporate affairs.

“To be clear, no credit card information is stored on the loyalty database,” she added. The company pinned a similar message on its Twitter page, which read:

“We’ve suspended the sign-in option for registered users on Credit card accounts are NOT affected. We’re working on it.”

Mobile customers on Canadian Tire’s website saw this message earlier this week.
Mobile customers on Canadian Tire’s website saw this message earlier this week. Global News

Rob Howes, a cyber security consultant and vice president with CodeEye Solutions, spoke generally about retail breaches and said consumers could potentially hear more in the future.

“Over a course of time, the breach … expands as organizations investigate internally into their systems they find out, ‘Oh wow, this was a lot bigger than we originally thought’ and then they have to communicate that internally to regulators and to the consumer,” he said.

Story continues below advertisement

“If their information has been breached, the organization should be on the hook for monitoring their credit for three to five years. But this will play itself out over the next weeks (and months).”

A Canadian Tire customer named Hugh first alerted Global News to problems on the site saying he wanted to check his balance. He also told Global News he had previously connected to his credit card information through the site.

READ MORE: How to avoid the biggest security mistakes when buying online

Beginning Sunday, other Canadian Tire loyalty users began posting queries on the company’s Twitter page asking for an explanation.

“Can’t sign into my CT Money account on website or with app,” wrote @RobTremblay.

“Is there something wrong with the CT app? I can’t seem to log in,” wrote @Infinite_Limits.

Each client got the same response from Canadian Tire: “Hi…can you please DM the browser/device you are using so we can look into this? Thanks.”

READ MORE: PC Plus points stolen from customer accounts in security breach

Canadian Tire did not publish any explanations for its shutdown and in reply to another online questions explained “we’re experiencing tech difficulties and have temporarily disabled log-ins.”

Story continues below advertisement

Peter Giannoulis, a principal for cyber security consulting firm Source 44 Consulting in Vaughan, Ont., said large retailers like Canadian Tire are targets for hackers in search of a payoff.

“Most criminals are looking to steal information in order to make money and a lot of it comes down to credit cards or holding companies hostage for encrypting their data and saying, ‘Pay me or you can’t have your data back,'” Giannoulis said.

Canadian Tire did not disclose any concern publicly until contacted by Global News.

Giannoulis said with cyberattacks, companies often don’t often realize the depth of the problem until later.

“Sometimes when you start to investigate, when you find out something is wrong, you realize the breach could have been done six months ago and they’ve been sitting on your network and collecting things for months,” he said.

This isn’t the first time the 94-year old retailer has been the target of a security breach.

In 2009, the company was impacted by of one of the largest and most serious data breaches to that point.

It was forced to cancel and reissue about 16,000 of its MasterCard credit cards.

Canadian Tire isn’t the only retailer trying to manage a security breach at the moment.

Story continues below advertisement

Loblaw is warning its PC Plus rewards collectors to beef up passwords after points were stolen from some members’ accounts.

Spokesman Kevin Groh said usernames and passwords stolen from other sites were used to access accounts on the PC Plus site. But he did not disclose how many customers lost points.

Canadian Tire said it has “systems in place to monitor for unusual online activity to protect the personal information of our customers.”

The company hasn’t said when it plans to resume normal customer service online.

Katherine Aylesworth, Nick Westoll and The Canadian Press

Sponsored content