London Drugs confirms cyberattackers demand ransom, has no plans to pay

The London Drugs location in downtown Victoria is shown.

London Drugs is confirming it has received a ransom demand for data stolen in the recent cyberattack, which the company will not pay.

When asked by CHEK News about a ransom notification posted by LockBit, London Drugs confirmed that it had received a ransom demand.

In a statement, the company reaffirms that there is no evidence that customer or patient databases were accessed in the cyberattack, but the company has now learned files from its corporate head office were exfiltrated, some of which may contain employee information.

“London Drugs is unwilling and unable to pay ransom to these cybercriminals. We acknowledge these criminals may leak stolen London Drugs corporate files, some of which may contain employee information on the Dark Web,” the company said in a statement.

“This is deeply distressing and London Drugs is taking all available steps to mitigate any impacts from these criminal acts, including notifying all current employees whose personal information could be potentially impacted.”

London Drugs says it has notified all current employees of the leak and provided 24 months of credit monitoring and identity theft protection services for all employees, regardless of whether or not their information is found to be compromised.

“At this stage in our investigation, we are not able to provide specifics on the nature or extent of employee personal information potentially impacted. Our review is underway, but due to and the extent of system damage caused by this cyber incident, we expect this review will take some time to perform,” London Drugs says.

“Once we have completed our review, we will contact any affected employees directly to inform them of what personal information of theirs was compromised, if any.”

CHEK was alerted to this ransom after Brett Callow, a threat analyst at Emsisoft, shared a screenshot to Twitter (now X) from a ransomware website, LockBit, asking for a ransom of $25 million within 48 hours to prevent the group from leaking the data. London Drugs has not confirmed the ransom amount it was asked or the identity of the attacker.

“It’s certainly not an implausible amount, though,” Callow said to CHEK News in a Zoom interview. “Their demands range typically from the tens of thousands of dollars into the multiple millions, so this would be an unusual amount at all.”

However, Callow says London Drugs refusing to pay the ransom is the right call.

“London Drugs made absolutely the right decision in refusing to pay. All the company would have got in exchange for its money is a pinky promise from an untrustworthy bad faith actor that the stolen data would be destroyed — which is something that we know does not necessarily happen,” he said.

“At the end of the day, if nobody paid ransoms, there’d be no more ransomware. It’s that simple.”

Callow says investigations into exactly what data was stolen can often take months to confirm.

“London Drugs have said they do not believe that customer information was affected hopefully they are right about that,” Callow said. “I’ve seen multiple cases in the past where organizations have had to walk back their initial assessments as to what data was affected.”

In the first six months of 2023, Emsisoft estimates over $449 million was paid in ransomware attacks, with 2023 on track to be “the second most profitable year to date for ransomware actors.”

-With files from CHEK’s Keith Vass


Laura Brougham

Recent Stories

Send us your news tips and videos!