World NewsCanada

Cyberattack on Suncor Leaves Petro-Canada Gas Stations Accepting Cash Only

Save
Cyberattack on Suncor Leaves Petro-Canada Gas Stations Accepting Cash Only
A sign displays the price of a litre of gas at a Petro-Canada station in Burnaby, B.C., on March 2, 2022. (Darryl Dyck/The Canadian Press)
Marnie Cathcart
6/26/2023
Updated:
6/26/2023
0:00

A cybersecurity attack on Suncor Energy has forced Petro-Canada gas stations across the country to move to cash only, and also prevents customers from using the Petro-Points loyalty program.

Suncor said in a news release on June 25 that it had “experienced a cyber security incident.”

“The company is taking measures and working with third-party experts to investigate and resolve the situation, and has notified appropriate authorities,” the release said. “At this time, we are not aware of any evidence that customer, supplier or employee data has been compromised or misused as a result of this situation. While we work to resolve the incident, some transactions with customers and suppliers may be impacted.”

Suncor’s operations include oilsands development and production, offshore oil and gas, petroleum refining in Canada and the United States, and Petro-Canada gas stations and wholesale distribution networks.

Petro-Canada said in a social media post on June 24 that customers logging into Petro-Points from the app and website would find it “temporarily unavailable” and apologized for the service disruption.
“Petro-Canada is a Suncor business and together, we’re responding to a cubersecurity incident,” it said. “While our sites are open, you may experience disruption to some services.”

The gas station chain said some locations “can only accept cash and our app and Petro-Points login are unavailable,” and that car washes were unavailable at some locations.

“What matters most to us is you and your safety. Thanks for your support and understanding as we work to keep you moving,” it said.

Unhappy Customers

Customers on Petro-Canada’s Twitter were reporting that gas pumps had been down since June 22 or 23, with complaints from a number of customers stating they had a season pass and were not able to access car washes. Another poster complained that Petro-Canada had been down since June 22.
“Can’t use the app for the car wash for 3 days!! Unbelievable!!” said one customer.
“The wash centers in Barrie, Ontario (both Mapleview and Bayfield) are not allowing any car wash and have kept the centers closed. They are saying the app is not giving them the code itself, petro canada has to compensate for my 4 visits to the car wash centers over the last 3 days,” said another.

One customer said he was on empty when he pulled into the gas station: “Drove my last 6km in my tank to fill up just to find out you can’t pay for gas because their system is down. Not to wait 3h for CAA to tow me 28km to next gas station never filling up at Petro Canada again.” Other customers were quick to suggest the driver erred by letting his gas tank get too low, and questioned why he didn’t use an ATM to pay for gas with cash.

Meanwhile, pass holders for car washes had their own complaints. “Paid $236 dollars for the car wash season pass haven’t been able to use my card since Friday every time I go to car wash it’s broken I feel like I’ve been scammed,” said one individual.
One customer said, “I went to get gas yesterday morning at 7am and was told your whole system was down. No credit/debit or Petro Points. We had to pay cash, luckily I still carry cash with me. I swiped my card, but they said I may or may not receive points. It’s your whole system not just points.”
Another customer suggested that Petro-Canada reimburse pass holders with extensions on their plan. “Please fix ASAP! And ensure customers who have the season pass car wash card are compensated with extra wash days due to this outage!!” he said.

Scope Unknown

Suncor did not respond to a request for information by press time, but said in the news release that customer information is safe. “At this time, we are not aware of any evidence that customer, supplier or employee data has been compromised or misused as a result of this situation,” said Suncor.

The energy company did not provide details about the type of attack or what operations internally were affected. A timeline for restoration of all services has not been provided.

One cybersecurity expert suggests that this was likely a substantial data breach. Ian L. Paterson, the CEO of Vancouver-based Plurilock Security Inc., said he was told about Suncor employees allegedly being unable to log in to their own internal accounts.
“All of these things put together seem to suggest that there could be a sizable cyber incident that’s taking place,” Paterson told the National Post. He suggested that it could be similar to a ransomware attack in 2021 that targeted the Canadian Colonial Pipeline. This attack was the largest strike on oil infrastructure in the United States and forced pipeline operations to grind to a halt.

“This has the potential to be very, very serious for Suncor, and it’s not really a surprise,” Paterson said. “The cybersecurity industry as a whole, and certainly governments both at the federal level and others, have been sounding the alarm for many years that critical infrastructure in particular is vulnerable.”

“The problem here is that it’s such a large operation with multiple subsidiaries with such an expansive set of services,” he added, referring to Suncor’s extensive operations.

“If the threat actor has been present and persistent for a long time, it could take a very long time to root them out.”

The Canadian Press contributed to this report.