In November 2022, Empire Company Limited disclosed a significant ransomware attack that impacted its entire grocery retail operations across Canada. The Black Basta ransomware gang encrypted critical systems supporting Sobeys, Safeway, IGA, and Foodland brands, affecting store operations, inventory management, and e-commerce platforms across hundreds of locations. The incident resulted in substantial operational disruption lasting several weeks and recovery costs exceeding $25 million, making it one of the costliest ransomware attacks on Canadian retail infrastructure.
What Happened
Empire Company's IT security team discovered the ransomware attack in early November 2022. Investigation revealed that threat actors had gained initial access through compromised credentials and exploitation of vulnerabilities in remote access services. The attackers conducted extensive reconnaissance across Empire's centralized IT infrastructure, identifying critical systems supporting all retail banners. Once positioned throughout the network, Black Basta deployed their ransomware across store systems, distribution centre infrastructure, and corporate systems.
The Black Basta gang posted evidence of the attack to their dark web leak site, claiming to have exfiltrated 100 gigabytes of sensitive data including employee information, vendor contracts, and customer data. The group demanded a substantial ransom in exchange for a decryption key and deletion of exfiltrated data.
Operational Impact
The attack had severe consequences across Empire's retail operations:
- Hundreds of Sobeys, Safeway, IGA, and Foodland stores affected simultaneously
- Point-of-sale systems offline at many locations forcing manual transaction processing
- Inventory management systems disrupted affecting stock tracking and replenishment
- E-commerce platforms (Sobeys.com) offline preventing online orders
- Distribution centre operations disrupted affecting supply chain
- Estimated revenue loss exceeding $50 million during recovery period
- Thousands of employees unable to access critical operational systems
The Black Basta Ransomware Group
Black Basta emerged as a serious threat in 2022 and quickly became one of the most active ransomware-as-a-service operations. The group is known for:
- Targeting large organizations across multiple sectors
- Sophisticated reconnaissance and lateral movement techniques
- Double extortion tactics and aggressive negotiation
- Professional operations and leak site management
- Rapid development of new variants and tooling
- Targeting of supply chain and infrastructure organizations
Recovery and Costs
Empire Company's recovery from the Black Basta attack took several weeks and involved substantial investments:
- Engagement of multiple external cybersecurity and forensics firms
- Coordination with law enforcement including RCMP and FBI
- System rebuilds from clean backups with extensive verification
- Deployment of enhanced security controls across all systems
- Estimated recovery costs exceeding $25 million
- Lost revenue and operational disruption costs
- Ransomware payment (amount not disclosed)
Data Exposed
Black Basta exfiltrated sensitive information including:
- Employee personal information and credentials
- Vendor and supplier contract information
- Customer data and shopping history
- Financial records and proprietary business information
- Strategic planning documents and operational procedures
Broader Retail Industry Impact
The Sobeys attack highlighted the vulnerability of large retail chains to ransomware and the cascading effects on supply chains and consumer services. The incident prompted Canadian retailers to increase cybersecurity investments, implement advanced monitoring systems, and strengthen incident response capabilities. The attack also raised awareness about the importance of network segmentation and backup independence in preventing widespread encryption.
Lessons and Security Improvements
Following the incident, Empire Company and other retailers implemented several critical security enhancements:
- Advanced endpoint detection and response (EDR) across all systems
- Network segmentation to isolate critical store systems from corporate infrastructure
- Enhanced monitoring for suspicious lateral movement and data exfiltration
- Improved backup infrastructure with air-gapped backups resistant to encryption
- Expanded security awareness training for all employees
- Implementation of zero-trust access control principles