CALGARY, ALTA – The systems breach at Suncor Energy Inc. will likely cost the company millions of dollars before it is able to resolve the issue, according to a cybersecurity expert.
Jon Ferguson, general manager of cybersecurity at the Canadian Internet Registration Authority, made the comments in an interview Tuesday, two days after the Calgary-based oil and gas giant issued a news release saying it had experienced a “cybersecurity incident.”
As of Tuesday afternoon, the cyberattack was still affecting many of Suncor’s Petro-Canada retail locations across the country, with many still unable to accept credit or debit payments.
The company’s Petro-Points app and website also remained unavailable.
Suncor has declined to provide details about the type of attack or which other parts of its operations may have been affected, but Ferguson said it’s fair to assume that it will take some time before the company can get back to normal.
“One of the challenges here is it’s a very big organization, and being a very large organization it doesn’t lend itself to this being a quick scenario,” Ferguson said.
“If they have to go in and modify critical systems, that can take a very long time to recover, depending on what’s damaged.”
The longer it takes to address the problem, the larger the bill for Suncor, he added. Cyberattacks are notoriously costly for their corporate victims, who may end up paying off the criminals in the event of a ransomware attack, or who may be forced to provide ongoing credit monitoring and reporting services for customers in the event that personal data was stolen.
Companies can also face costs in the form of lawyers’ fees, as well as the hiring of “data breach coaches” and specialized IT specialists, Ferguson added.
“And then there’s the cost of disruption. I have no idea how much gas Petro-Canada didn’t sell because people didn’t have cash,” he said.
“There’s also the cost of reputational and brand damage, which is very hard to measure, but you’re probably going to think twice before you slip your credit card into a Petro-Canada gas machine now.”
According to a report by IBM, the global average cost to companies of a data breach hit an all-time high in 2022 of US$4.35 million, a 13 per cent increase from 2020.
In the United States, the average cost of a data breach in 2022 was US$9.44 million.
The IBM report said that in 2022, it took an average of 277 days – about 9 months – for companies to identify and contain a breach, and that time is of the essence for companies looking to avoid spiralling costs.
“Days saved are dollars saved when it comes to a data breach,” the report stated.
Suncor’s cybersecurity woes come as the company has been seeking to improve its financial performance after a recent spate of operational issues and workplace safety incidents.
Earlier this month, the company said it would cut 1,500 jobs by the end of the year in an effort to reduce costs.
But while this week’s systems breach is certainly bad news for Suncor, the oil and gas giant is far from alone when it comes to falling victim to cybercrime.
According to the Canadian Internet Registration Authority, 44 per cent of Canadian organizations surveyed in 2022 said they had experienced a cyberattack in the last 12 months.
Three-in-ten organizations surveyed said they had experienced a breach of customer or employee data, while 22 per cent said they had been a victim of a successful ransomware attack.
Of those organizations who said they had experienced a ransomware attack, 73 per cent paid the ransom demands.
©2023 THE CANADIAN PRESS