London Drugs, a major electronics and consumer goods retailer operating 79 stores across British Columbia, Alberta, Saskatchewan, and Manitoba, experienced a catastrophic ransomware attack in April 2024. The LockBit ransomware gang encrypted critical systems across the entire chain, forcing the retailer to close all locations simultaneously for over a week. The incident represented one of the largest coordinated retail closures in Canadian history and highlighted the devastating impact that sophisticated ransomware attacks can have on geographically distributed retail operations.
What Happened
On April 7, 2024, London Drugs' leadership discovered that their systems had been compromised by the LockBit ransomware gang. Investigation revealed that threat actors had gained initial access weeks earlier through exploited vulnerabilities in remote access services and then conducted extensive reconnaissance across the network. The attackers had systematically mapped London Drugs' infrastructure, identifying critical systems controlling inventory, point-of-sale, supply chain management, and corporate communications.
When the ransomware was deployed, it spread rapidly across London Drugs' centralized IT infrastructure due to inadequate network segmentation. Because stores rely on centralized systems for inventory management, payment processing, and operational guidance, the encryption of core infrastructure immediately rendered all 79 locations unable to conduct business. London Drugs leadership made the strategic decision to close all stores temporarily rather than attempt to operate with severely limited functionality.
Scale of the Disruption
The operational impact of the London Drugs attack was unprecedented in Canadian retail:
- All 79 stores across four provinces forced to close simultaneously
- Closure lasted more than 10 days as systems were rebuilt
- Estimated revenue loss exceeding CAD $20 million
- Over 4,000 employees unable to work during closure period
- Supply chain disruptions affecting multiple vendors
- Loss of customer data and compromised payment information from multiple transactions
LockBit's Claims and Extortion Tactics
LockBit posted evidence of the attack on their dark web site, claiming to have exfiltrated approximately 2.5 gigabytes of sensitive data before deploying the ransomware. The gang demanded a substantial ransom and threatened to release confidential London Drugs business information, including vendor contracts, customer data, and financial records. The public extortion campaign included leaked documents and explicit threats to contact customers, vendors, and regulatory authorities if the ransom was not paid.
Data Compromised
The exfiltrated data reportedly included:
- Customer payment information and credit card data
- Employee personal information including Social Insurance Numbers
- Vendor and supplier contract information
- Customer loyalty program data
- Financial records and business correspondence
- Proprietary operational procedures and system documentation
Recovery Process
London Drugs' recovery from the attack took nearly two weeks and involved substantial efforts:
- Engagement of multiple external cybersecurity and forensics firms
- Coordination with law enforcement agencies including the RCMP and FBI
- System rebuilds from clean backups with extensive verification
- Sequential restoration of critical systems prioritizing stores in different regions
- Implementation of enhanced security controls and monitoring before bringing systems back online
- Extensive testing to ensure no remnants of malware remained
The company gradually reopened stores over April 17-20, with full operational capability restored by late April.
Cybersecurity Gaps Exposed
The London Drugs attack revealed several critical security deficiencies:
- Inadequate network segmentation between corporate infrastructure and retail point-of-sale systems
- Lack of sufficient backup independence—ransomware could potentially encrypt backup systems
- Insufficient monitoring for lateral movement and data exfiltration activities
- Delayed detection of initial compromise (likely gained access weeks before detection)
- Limited resilience planning for scenarios affecting all locations simultaneously
Industry Impact and Lessons
The London Drugs incident prompted reassessment of cybersecurity practices across Canadian retail. Major retailers accelerated implementation of network segmentation, enhanced backup strategies, and incident response planning. The incident also highlighted the importance of rapid threat detection and the cascading consequences of centralized IT infrastructure vulnerabilities in geographically distributed retail operations.