Suncor Energy says it is facing a “cyber security incident” that is affecting payments for some Canadians fuelling up at Petro-Canada pumps.
The Calgary-based oil and gas company released a statement Sunday saying “some transactions” with customers and suppliers may be impacted while it works to resolve the issue.
Some customers said on Twitter that the Petro-Canada stations they visited over the weekend were only taking cash.
A tweet from the Petro-Canada Twitter account posted Saturday night said users would not be able to log into the company’s website or loyalty app.
“At this time, we are not aware of any evidence that customer, supplier or employee data has been compromised or misused as a result of this situation,” Suncor said in a statement.
The company said it had reached out to “appropriate authorities” and is working with a third-party investigator to resolve the situation.
Suncor has not yet responded to Global News’ Monday request for information about the extent of the outages and any timeline for restoration.
The Canadian Centre for Cyber Security told Global News it was aware of reports of an incident affecting Petro-Canada, but said it did not generally comment on “specific cybersecurity incidents.”
It added, however, that Canada’s oil and gas sector “is an ongoing target for malicious cyber activity.” The agency posted a “threat bulletin” dated June 21 highlighting cyber risks in the sector, but the spokesperson noted such bulletins are general assessments for the industry and not related to specific incidents.
Could be a 'sizeable' incident, cyber expert says
Ian L. Paterson, CEO of Vancouver-based cybersecurity company Plurilock Security Inc., told the Canadian Press that his early read on the situation is that this is not a minor data breach.
“All of these things put together seem to suggest that there could be a sizeable cyber incident that’s taking place,” Paterson said.
“I think that this actually could be the Canadian Colonial Pipeline, just in the sense that Suncor is such a large part of the economy.”
In 2021, a ransomware attack successfully targeted the Colonial Pipeline, the largest pipeline system for refined oil products in the U.S.
It was the largest cyberattack on oil infrastructure in the history of the United States, and forced the company to temporarily halt pipeline operations.
In Canada, there hasn’t been a large-scale, successful cyberattack on a domestic oil and gas company, though cybersecurity experts have been warning for years that this country’s energy industry is an attractive target for cybercriminals.
That includes both financially motivated cybercriminals, such as ransomware attackers, as well as state-sponsored hackers seeking to create geopolitical mayhem.
“This has the potential to be very, very serious for Suncor, and it’s not really a surprise,” Paterson said.
“The cybersecurity industry as a whole, and certainly governments both at the federal level and others, have been sounding the alarm for many years that critical infrastructure in particular is vulnerable.”
There is no indication that any of Suncor’s critical infrastructure, such as oilsands facilities or refineries, have been affected by the incident.
Paterson said in the best-case scenario, Suncor will have caught the breach quickly. But he said it’s also possible that it could take the company a very long time to resolve the issue.
“The problem here is that it’s such a large operation with multiple subsidiaries with such an expansive set of services,” he said.
“If the threat actor has been present and persistent for a long time, it could take a very long time to root them out.”
— with files from the Canadian Press