Suncor Energy suffers cybersecurity incident

CALGARY – Canadian oil company Suncor Energy Inc. has confirmed it has been the victim of a cyberattack.

The Calgary-based energy giant said in a news release late Sunday that it has “experienced a cyber-security incident.”

Suncor provided no further details about the attack, or which parts of its operations were affected.

However, over the weekend, social media users complained about an inability to use credit or debit cards at the company’s chain of Petro-Canada gas stations, as well as difficulties accessing car wash.

Ian L. Paterson, CEO of Vancouver-based cybersecurity company Plurilock Security Inc., said that as early as Friday, he was also hearing Suncor employees being unable to log in to their own internal accounts.

Paterson said much is still unknown about the attack and its impacts, but added his early read on the situation is that this is not a minor data breach.

On Saturday, Petro-Canada’s official Twitter account also issued a tweet saying that the company’s Petro-Points app and website were temporarily unavailable.

“All of these things put together seem to suggest that there could be a sizable cyber incident that’s taking place,” Paterson said.

“I think that this actually could be the Canadian Colonial Pipeline, just in the sense that Suncor is such a large part of the economy.”

In 2021, a ransomware attack successfully targeted the Colonial Pipeline, the largest pipeline system for refined oil products in the U.S.

It was the largest cyberattack on oil infrastructure in the history of the United States, and forced the company to temporarily halt pipeline operations.

In Canada, there hasn’t been a large-scale, successful cyberattack on a domestic oil and gas company, though cybersecurity experts have been warning for years that this country’s energy industry is an attractive target for cybercriminals.

That includes both financially motivated cybercriminals, such as ransomware attackers, as well as state-sponsored hackers seeking to create geopolitical mayhem.

“This has the potential to be very, very serious for Suncor, and it’s not really a surprise,” Paterson said.

“The cybersecurity industry as a whole, and certainly governments both at the federal level and others, have been sounding the alarm for many years that critical infrastructure in particular is vulnerable.”

There is no indication that any of Suncor’s critical infrastructure, such as oilsands facilities or refineries, have been affected by the incident.

The company said there is also no evidence that any customer, supplier or employee data has been compromised or misused.

Suncor said Sunday that some transactions with customers and suppliers may be impacted as the company continues to work to resolve the situation. It also said it has notified appropriate authorities about the attack.

Paterson said in the best-case scenario, Suncor will have caught the breach quickly. But he said it’s also possible that it could take the company a very long time to resolve the issue.

“The problem here is that it’s such a large operation with multiple subsidiaries with such an expansive set of services,” he said.

“If the threat actor has been present and persistent for a long time, it could take a very long time to root them out.”

Feature image by iStock.com/peshkov