Five days after it suspended customer login access to its retail website, which allows consumers to track their loyalty accounts, Canadian Tire Corporation admits customer information may have been stolen.
“We believe an unknown third party may have obtained your log-in information, including your email address and password information, from a prominent third-party website breach and used this information to gain access to your canadiantire.ca account,” an email received by a customer, and shared with Global News, on Friday said.
“Information you entered on your profile, along with basic transactional information relating to your loyalty account, may have been accessed.”
The email instructed customers to change their account password.
“We require you to change your password, which you can do by visiting your account on the Canadian Tire website or by calling Customer Service at 1-800-226-8473. Our recommendations on how to create a secure password are found on our website.”
Canadian Tire communications manager Stephanie Nadalin previously told Global News company staff became aware of “unusual web traffic” on the store’s website, canadiantire.ca.
“We recently noticed unusual traffic on our website and suspended customer sign-in capabilities while we investigate,” said Nadalin.
On Thursday, the company issued a statement claiming Canadian Tire MasterCard accounts are unaffected by the shutdown.
“There is no credit card information, including credit card transaction history, contained anywhere on the canadiantire.ca website, which is the only website on which we have suspended customer sign-in capability for registered users,” wrote Susan O’Brien, the company’s vice president of marketing and corporate affairs.
“To be clear, no credit card information is stored on the loyalty database,” she added. The company pinned a similar message on its Twitter page, which read:
“We’ve suspended the sign-in option for registered users on Canadiantire.ca. Credit card accounts are NOT affected. We’re working on it.”
Rob Howes, a cyber security consultant and vice president with CodeEye Solutions, spoke generally about retail breaches and said consumers could potentially hear more in the future.
“Over a course of time, the breach … expands as organizations investigate internally into their systems they find out, ‘Oh wow, this was a lot bigger than we originally thought’ and then they have to communicate that internally to regulators and to the consumer,” he said.
“If their information has been breached, the organization should be on the hook for monitoring their credit for three to five years. But this will play itself out over the next weeks (and months).”
A Canadian Tire customer named Hugh first alerted Global News to problems on the site saying he wanted to check his balance. He also told Global News he had previously connected to his credit card information through the site.
Beginning Sunday, other Canadian Tire loyalty users began posting queries on the company’s Twitter page asking for an explanation.
“Can’t sign into my CT Money account on website or with app,” wrote @RobTremblay.
“Is there something wrong with the CT app? I can’t seem to log in,” wrote @Infinite_Limits.
Each client got the same response from Canadian Tire: “Hi…can you please DM the browser/device you are using so we can look into this? Thanks.”
Canadian Tire did not publish any explanations for its shutdown and in reply to another online questions explained “we’re experiencing tech difficulties and have temporarily disabled log-ins.”
Peter Giannoulis, a principal for cyber security consulting firm Source 44 Consulting in Vaughan, Ont., said large retailers like Canadian Tire are targets for hackers in search of a payoff.
“Most criminals are looking to steal information in order to make money and a lot of it comes down to credit cards or holding companies hostage for encrypting their data and saying, ‘Pay me or you can’t have your data back,'” Giannoulis said.
Canadian Tire did not disclose any concern publicly until contacted by Global News.
Giannoulis said with cyberattacks, companies often don’t often realize the depth of the problem until later.
“Sometimes when you start to investigate, when you find out something is wrong, you realize the breach could have been done six months ago and they’ve been sitting on your network and collecting things for months,” he said.
This isn’t the first time the 94-year old retailer has been the target of a security breach.
In 2009, the company was impacted by of one of the largest and most serious data breaches to that point.
It was forced to cancel and reissue about 16,000 of its MasterCard credit cards.
Canadian Tire isn’t the only retailer trying to manage a security breach at the moment.
Loblaw is warning its PC Plus rewards collectors to beef up passwords after points were stolen from some members’ accounts.
Spokesman Kevin Groh said usernames and passwords stolen from other sites were used to access accounts on the PC Plus site. But he did not disclose how many customers lost points.
Canadian Tire said it has “systems in place to monitor for unusual online activity to protect the personal information of our customers.”
The company hasn’t said when it plans to resume normal customer service online.
Katherine Aylesworth, Nick Westoll and The Canadian Press