“Unauthorized party” obtained Petro-Points members’ contact information in an IT breach, the company says

An unauthorized party obtained the basic contact information of Petro-Points members during a cybersecurity incident that occurred about two weeks ago, the company said on Twitter on Thursday.

It now warns customers to watch out for unusual emails and messages and to “confirm that any request to link, download, call someone or provide personal information is legitimate.”

“We regret that this incident has occurred and we appreciate your patience and understanding as we work to resolve the situation,” the company said.

The incident occurred on or about June 21 when the “unauthorized party” gained access to the company’s IT network, prompting Petro-Canada to disable its Petro-Points website and app, the company said.

On June 25, Suncor, Petro-Canada’s Calgary-based parent company, confirmed that it had experienced a cybersecurity incident.

“It’s interesting that it’s taken them this long to figure out that some customer contact information was stolen,” said Geoffrey Cann, a former Deloitte partner and trainer who helps the energy industry navigate digital change.

“My personal opinion is that it has taken a very long time to find out about this, and 10 days have already passed in which people may have been contacted.”

In a statement Thursday, Suncor said the incident has not compromised the safety or reliability of its field operations. The company said it is notifying Petro-Points members and privacy regulators about the incident and will notify “affected parties” if it discovers additional information was accessed in the breach.

Petro-Canada says customers’ point balances are safe and it will provide credit for points earned during the outage.

Suncor did not immediately respond to CBC’s request for an interview on the subject.