Calgary-based Suncor Energy says it has suffered a cybersecurity incident
Canadian oil company Suncor Energy Inc. has confirmed that it has been the victim of a cyber-attack.
The Calgary–based energy giant said in a press release late Sunday that it has “experienced a cybersecurity incident”.
Suncor did not provide further details about the attack, or what parts of its operations were affected.
Over the weekend, however, social media users complained about the inability to use credit or debit cards at the company’s gas stations in Petro-Canada, as well as problems accessing the car wash.
Ian L. Paterson, CEO of Vancouver-based cybersecurity firm Plurilock Security Inc., said it learned as early as Friday that Suncor employees were unable to log into their own internal accounts.
Paterson said much is still unknown about the attack and its fallout, but added that his first reading on the situation is that this is no small data breach.
On Saturday, Petro-Canada’s official Twitter account also tweeted that the company’s Petro-Points app and website were temporarily unavailable.
“All these things together seem to indicate that a major cyber incident may be taking place,” said Paterson.
“I think this could actually be the Canadian colonial pipeline, just in the sense that Suncor is such a big part of the economy.”
In 2021, a ransomware attack successfully targeted the Colonial Pipeline, the largest pipeline system for refined oil products in the US.
It was the largest cyberattack on oil infrastructure in United States history and forced the company to temporarily halt pipeline operations.
In Canada, there has been no large-scale, successful cyberattack against a domestic oil and gas company, although cybersecurity experts have warned for years that the country’s energy industry is an attractive target for cybercriminals.
That includes both financially motivated cybercriminals, such as ransomware attackers, and state-sponsored hackers looking to create geopolitical chaos.
“This could be very, very serious for Suncor, and it’s not much of a surprise,” Paterson said.
“The cybersecurity industry as a whole, and certainly governments, both at the federal level and beyond, have been sounding the alarm for years that critical infrastructure in particular is vulnerable.”
There is no indication that any of Suncor’s critical infrastructure, such as oil sands facilities or refineries, was affected by the incident.
The company also said there is no evidence that customer, supplier or employee data has been compromised or misused.
Suncor said on Sunday that some transactions with customers and suppliers could be affected as the company continues to work to resolve the situation. It also said it has notified the appropriate authorities of the attack.
Paterson said that at best, Suncor will have noticed the break soon. But he said it’s also possible that the company is taking a very long time to fix the problem.
“The problem here is that it’s such a large operation with multiple subsidiaries with such an extensive range of services,” he said.
“If the threat actor has been present and persistent for a long time, it can take a very long time to eradicate them.”
