Loblaw Companies Limited Vendor Cyber Rating & Cyber Score

loblaw.ca
ISOSOC2 Type 1SOC2 Type 2PCI DSSHIPAAGDPR

Our Purpose – Live Life Well Loblaw Companies Limited is Canada’s food and pharmacy leader, the nation’s largest retailer, and the majority unit holder of Choice Properties Real Estate Investment Trust. Loblaw – and its portfolio of grocery, health and beauty, financial services and apparel businesses – provides Canadians with an unparalleled mix of value, assortment and convenience, and offers Canadians two of the country’s most recognized brands – President’s Choice and no name. The acquisition of Shoppers Drug Mart, along with the powerful Life Brand and Optimum brand, has only served to reinforce our leadership position in the marketplace. As well, our PC Plus program, omni-channel efforts and multicultural merchandising offerings continued to be points of differentiation for our customer experience. In 2019, Loblaw has been recognized as one of Canada’s Top 100 Employers, Best Diversity Employers by Mediacorp Canada Inc. ---- IMPORTANT NOTE ABOUT FRAUD AFFECTING OUR JOBSEEKERS. Please be advised that recruitment fraud has affected a number of Canadian companies. In such schemes, individuals posing as legitimate recruiters may request personal information and payment from those seeking employment. Loblaw Companies Limited, its subsidiaries, and recruiting agencies will never ask for payment at any stage in the recruitment process. All legitimate postings may be accessed via our career website.

Loblaw Companies Limited A.I CyberSecurity Scoring

LCL

Company Details

Linkedin ID:

loblaw-companies-limited

Website:

http://www.loblaw.ca/

Employees number:

23,641

Number of followers:

275,136

NAICS:

43

Industry Type:

Retail

Homepage:

loblaw.ca

IP Addresses:

18

Company ID:

LOB_2532471

Scan Status:

In-progress

AI scoreLCL Risk Score (AI oriented)

Between 600 and 649

https://images.rankiteo.com/companyimages/loblaw-companies-limited.jpeg
LCL Retail
Updated:
  • Powered by our proprietary A.I cyber incident model
  • Insurance preferes TPRM score to calculate premium
Get a Score Increase
globalscoreLCL Global Score (TPRM)

XXXX

https://images.rankiteo.com/companyimages/loblaw-companies-limited.jpeg
LCL Retail
  • Instant access to detailed risk factors
  • Benchmark vs. industry & size peers
  • Vulnerabilities
  • Findings

Loblaw Companies Limited

Poor
Current Score
618
Caa (Poor)
01000
6 incidents
-57.0 avg impact

Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.

APRIL 2026
620
MARCH 2026
689
Breach
13 Mar 2026 • Shoppers Drug Mart, President’s Choice, Loblaw, No Frills and PC Optimum: “Threat Actor” on the dark web claims Loblaw’s “low-level” data breach is a much larger threat
Alleged Massive Data Breach at Loblaw

**Loblaw Faces Alleged Massive Data Breach as Threat Actor Demands Response** A threat actor operating under the handle *"igotafeeling"* on the *DarkWeb Informer* forum has claimed to have breached **Loblaw**, Canada’s largest food and pharmacy retailer, which owns brands like *President’s Choice, No Frills, Shoppers Drug Mart, Real Canadian Superstore*, and the *PC Optimum* loyalty program. The actor alleges possession of **over 1.8 billion records**, including: - **75.1 million Salesforce customer records** (names, emails, phone numbers, addresses, loyalty IDs, and health card numbers) - **724.9 million Shoppers Drug Mart records** (passwords, tokens, loyalty IDs, payment details, and full credit card numbers with expiry dates) - **129.9 million pharmacy fill requests** (prescription numbers and patient IDs) - **120.4 million e-commerce fraud-feed records** (payment card BINs, last-four digits, and expiry dates) - **20.2 million Delivery Ops Portal records** (orders, deliveries, and postal codes) - **3,014 GitLab projects** containing Loblaw’s full source code - **19.3 million Oracle identity records** (MFA device details and credentials) - **55.3 million marketing and email records** across 673 tables The threat actor has given Loblaw until **March 19** to respond, accusing the company of *"ghosting"* them and dismissing customer and investor concerns. They have also invited media organizations to verify the data’s authenticity. In response, Loblaw issued a **March 12 press release**, labeling the incident a *"low-level data breach"* and stating that only *"basic customer information"* (names, phone numbers, and emails) may have been accessed. The company explicitly denied evidence of financial or credit card data compromise directly contradicting the threat actor’s claims. While the breach remains **unverified**, the scale of the alleged exposure if confirmed would rank among the largest in Canadian history. The situation mirrors past high-profile breaches (e.g., *T-Mobile, Equifax, Capital One*), where initial corporate statements downplayed impact before later revelations proved otherwise. Loblaw customers with *PC Optimum accounts, Shoppers Drug Mart loyalty cards, or prescription histories* may be affected if the claims hold true. The deadline for Loblaw’s response is **six days away**.

618
critical -71
NO-SHOPRELOB1773534483
Incident Details -
Type
Data Breach
Motivation
Extortion (response demanded by March 19)
Impact
Data Compromised: Over 1.8 billion records allegedly exposed Salesforce Shoppers Drug Mart systems GitLab projects Oracle identity systems E-commerce platforms Brand Reputation Impact: Potential significant impact if claims are verified Identity Theft Risk: High (health card numbers, prescription IDs, PII) Payment Information Risk: High (full credit card numbers with expiry dates)
Response
Communication Strategy: Press release downplaying the breach and denying financial data compromise
Data Breach
Customer records (names, emails, phone numbers, addresses, loyalty IDs) Health card numbers Pharmacy fill requests (prescription numbers, patient IDs) Payment details (full credit card numbers with expiry dates, BINs, last-four digits) Source code (GitLab projects) MFA device details and credentials (Oracle identity records) Marketing and email records Number Of Records Exposed: 1.8 billion (alleged) Sensitivity Of Data: High (PII, financial data, health information, source code) Data Exfiltration: Alleged (data sold on dark web if claims are true) Personally Identifiable Information: Yes (names, emails, phone numbers, addresses, health card numbers, prescription IDs)
Investigation Status
Unverified (allegations under scrutiny)
Customer Advisories
Loblaw customers with PC Optimum accounts, Shoppers Drug Mart loyalty cards, or prescription histories advised to monitor for potential fraud
Initial Access Broker
Data Sold On Dark Web: Alleged (if claims are verified)
References
Blog URL Source URL
MARCH 2026
780
Breach
10 Mar 2026 • Loblaw Companies Limited: Loblaw notifies customers of a low-level data breach
Loblaw Data Breach Impacting Customer Information

**Loblaw Investigates Data Breach Impacting Customer Information** On March 10, 2026, Loblaw Companies Limited, Canada’s largest food and pharmacy retailer, disclosed a data breach affecting some of its customers. The company detected suspicious activity on a non-critical segment of its IT network, leading to an investigation that confirmed unauthorized access by a third-party criminal. The exposed data includes basic customer details such as names, phone numbers, and email addresses. Loblaw’s investigation indicates that passwords, health information, and credit card data were not compromised, and PC Financial services remained unaffected. As part of its response, Loblaw secured its network and logged out all customers from their accounts, requiring them to re-authenticate to access digital services. The company continues its forensic investigation to assess the full scope and impact of the incident. Loblaw, which employs over 220,000 people across Canada, has not provided further details on the number of affected customers or the method of the breach. The incident remains under review as the company evaluates potential risks and next steps.

742
critical -38
LOB1773182157
Incident Details -
Type
Data Breach
Impact
Data Compromised: Names, phone numbers, email addresses Systems Affected: Non-critical segment of IT network Operational Impact: Customers logged out and required to re-authenticate Payment Information Risk: None (credit card data not compromised)
Response
Containment Measures: Secured network, logged out all customers Remediation Measures: Requiring re-authentication for digital services
Data Breach
Type Of Data Compromised: Basic customer details Sensitivity Of Data: Low (no passwords, health info, or credit card data) Personally Identifiable Information: Names, phone numbers, email addresses
Investigation Status
Ongoing
Customer Advisories
Customers logged out and required to re-authenticate
References
Blog URL Source URL
FEBRUARY 2026
780
JANUARY 2026
779
DECEMBER 2025
778
NOVEMBER 2025
778
OCTOBER 2025
777
SEPTEMBER 2025
776
AUGUST 2025
775
JULY 2025
775
JUNE 2025
773
Ransomware
16 Jun 2025 • Broadcom
Cl0p Exploits Zero-Day Vulnerabilities in Oracle E-Business Suite Leading to Massive Data Breaches

Broadcom, a global technology leader valued at hundreds of billions, was among the high-profile victims of **Cl0p’s ransomware attack** exploiting a **zero-day vulnerability in Oracle’s E-Business Suite (CVE-2025-61882 and CVE-2025-21884)**. The cybercriminal group **exfiltrated sensitive corporate and customer data**, threatening to leak or sell it unless a ransom was paid. The breach compromised critical systems, risking **financial records, proprietary business data, and third-party customer information**. Cl0p’s extortion tactics included warnings of **public disclosure on their blog, torrent leaks, or sales to malicious actors**, amplifying reputational and operational risks. Given Broadcom’s role in semiconductor and infrastructure technology, the attack posed **supply chain cascading risks**, potentially disrupting clients reliant on its products. Oracle issued emergency patches, but the damage—including **data theft, potential regulatory fines, and erosion of stakeholder trust**—had already occurred. The incident underscores vulnerabilities in enterprise software dependencies, with Broadcom facing **long-term financial and strategic repercussions** if the stolen data is weaponized.

711
critical -62
BRO3105131112625
Incident Details -
Type
Ransomware Data Breach Zero-Day Exploit
Attack Vector
Zero-Day Exploit (CVE-2025-61882, CVE-2025-21884) Unauthenticated HTTP Requests Data Exfiltration
Vulnerability Exploited
CVE-2025-61882 Vulnerability in BI Publisher Integration allowing unauthenticated attackers to send crafted HTTP requests for full system compromise. Oracle EBS 12.2.3 Oracle EBS 12.2.4 Oracle EBS 12.2.5 Oracle EBS 12.2.6 Oracle EBS 12.2.7 Oracle EBS 12.2.8 Oracle EBS 12.2.9 Oracle EBS 12.2.10 Oracle EBS 12.2.11 Oracle EBS 12.2.12 Oracle EBS 12.2.13 Oracle EBS 12.2.14 CVE-2025-21884 Vulnerability in Runtime UI of Oracle Configurator allowing unauthorized access to critical/sensitive data via HTTP. Oracle EBS 12.2.3 Oracle EBS 12.2.4 Oracle EBS 12.2.5 Oracle EBS 12.2.6 Oracle EBS 12.2.7 Oracle EBS 12.2.8 Oracle EBS 12.2.9 Oracle EBS 12.2.10 Oracle EBS 12.2.11 Oracle EBS 12.2.12 Oracle EBS 12.2.13 Oracle EBS 12.2.14
Motivation
Financial Gain (Ransomware Extortion)
Impact
Oracle E-Business Suite (EBS) versions 12.2.3–12.2.14 Operational Impact: Significant (data exfiltration, potential system compromise) Brand Reputation Impact: High (public disclosure of breaches, ransom demands) Identity Theft Risk: High (PII and sensitive corporate data exfiltrated)
Response
Mandiant (Google-owned cybersecurity firm) Oracle security patches (CVE-2025-61882, CVE-2025-21884) Patch application for Oracle EBS vulnerabilities Oracle security alerts to customers Public disclosure via media
Data Breach
Corporate Data Customer Data Sensitive Business Information Sensitivity Of Data: High
Lessons Learned
Supplier vulnerabilities in enterprise software (e.g., Oracle EBS) can cascade into large-scale breaches across industries. Proactive patch management and supply chain risk monitoring (e.g., via SCRM platforms like Z2Data) are critical to mitigating third-party risks. Cl0p’s delayed data leak strategy highlights the importance of rapid incident response to prevent public exposure of sensitive data.
Recommendations
Apply Oracle security patches for CVE-2025-61882 and CVE-2025-21884 immediately. Implement supply chain risk management (SCRM) tools to assess third-party vendor vulnerabilities (e.g., Z2Data). Enhance monitoring for unauthenticated HTTP requests targeting Oracle EBS components. Conduct regular audits of enterprise software for zero-day vulnerabilities. Develop and test incident response plans for ransomware attacks, including data exfiltration scenarios. Evaluate the need for network segmentation to limit lateral movement in case of breaches.
Investigation Status
Ongoing (Cl0p’s data leak timeline suggests delayed public exposure)
Customer Advisories
Companies advised to monitor for data leaks on Cl0p’s blog or dark web marketplaces
Stakeholder Advisories
Oracle security alerts urging immediate patching Mandiant’s analysis of Cl0p’s modus operandi
Initial Access Broker
Zero-day vulnerabilities in Oracle EBS (CVE-2025-61882, CVE-2025-21884) Reconnaissance Period: Since late September 2023 (pre-exploitation activity) Fortune 500 companies (e.g., Broadcom, Estée Lauder) Multinational corporations with Oracle EBS dependencies
Post Incident Analysis
Unpatched zero-day vulnerabilities in Oracle EBS (CVE-2025-61882, CVE-2025-21884). Lack of real-time monitoring for unauthenticated HTTP requests targeting critical components (BI Publisher, Configurator UI). Supplier risk blind spots in enterprise software supply chains. Immediate application of Oracle-provided security patches. Enhanced supplier risk assessments using SCRM platforms (e.g., Z2Data). Implementation of behavioral WAFs or anomaly detection for Oracle EBS environments. Review of third-party software dependencies for similar vulnerabilities.
References
Blog URL Source URL
MAY 2025
773
MAY 2024
798
Breach
03 May 2024 • Loblaw Companies Ltd.: Loblaw says some customers affected by data breach
Loblaw Data Breach

**Loblaw Data Breach and U.S. Consulate Shooting Highlight Security Incidents in Canada** Loblaw Companies Ltd., the parent company of Loblaws and Shoppers Drug Mart, disclosed a data breach affecting some customers after detecting suspicious activity on a non-critical part of its IT network. The breach exposed names, phone numbers, and email addresses, though passwords, health information, and credit card data remained secure. The company has since secured its systems, logged out all customers, and confirmed that PC Financial was unaffected. The number of impacted customers was not specified. Separately, Toronto police are investigating a national security incident after multiple shots were fired at the U.S. Consulate in downtown Toronto early Tuesday morning. Authorities are examining potential links to recent shootings at local synagogues. Police released an image of a suspect vehicle, believed to be connected to two male suspects. Ontario Premier Doug Ford suggested the incident may be tied to broader security threats, though the RCMP has not confirmed his claims about terror sleeper cells in Canada. The incidents coincide with severe weather warnings for southern Ontario, where heavy rainfall starting Tuesday night could lead to localized flooding. Investigations into both the cyber breach and the consulate shooting remain ongoing.

760
critical -38
LOB1773184670
Incident Details -
Type
Data Breach
Impact
Data Compromised: Names, phone numbers, email addresses Systems Affected: Non-critical part of IT network Payment Information Risk: None (credit card data remained secure)
Response
Incident Response Plan Activated: Yes Containment Measures: Secured systems, logged out all customers Communication Strategy: Public disclosure
Data Breach
Type Of Data Compromised: Personal Identifiable Information (PII) Sensitivity Of Data: Low to moderate (no passwords, health info, or credit card data exposed) Personally Identifiable Information: Names, phone numbers, email addresses
Investigation Status
Ongoing
Customer Advisories
Customers logged out, advised to monitor accounts
References
Blog URL Source URL
MAY 2018
784
Breach
03 May 2018 • Loblaw Companies Limited, Shoppers Drug Mart and No Frills: Loblaw investigates data breach after identifying suspicious activity
Loblaw Investigates Data Breach Following Suspicious Activity

**Loblaw Investigates Data Breach Following Suspicious Activity** Loblaw Companies Limited, one of Canada’s largest grocery and pharmacy retailers, is investigating a potential data breach after detecting suspicious activity within its systems. The company confirmed the incident but has not disclosed specific details about the nature of the breach, the number of affected customers, or whether personal or financial data was compromised. The investigation comes as cybersecurity threats targeting retailers continue to rise, with attackers often seeking payment card information, customer records, or access to corporate networks. Loblaw operates major brands, including Shoppers Drug Mart, Real Canadian Superstore, and No Frills, serving millions of Canadians. While the company has not provided a timeline for the incident, data breaches in the retail sector typically prompt heightened monitoring for fraudulent transactions and potential regulatory scrutiny. The outcome of Loblaw’s investigation may determine whether affected individuals will be notified or offered credit monitoring services. The incident underscores the ongoing risks faced by large retailers, which remain prime targets for cybercriminals due to the vast amounts of sensitive data they handle. Further updates are expected as the investigation progresses.

746
critical -38
LOBSHONO-1773196440
Incident Details -
Type
Data Breach
Data Breach
Personal Data Financial Data
Investigation Status
['Ongoing']
References
Blog URL Source URL
JULY 2017
829
Breach
01 Jul 2017 • Loblaw Companies Limited
Loblaws Security Breach Incident

Loblaws suffered from the security breach incident that exposed the security of a ‘small number’ of accounts. In addition to other websites from the Loblaws food company, comprised websites include Joefresh.com, Beautyboutique.ca, and Loblaws.ca. They sent an email to those affected by the breach.

778
low -51
LOB944271022
Incident Details -
Type
Security Breach
Impact
Joefresh.com Beautyboutique.ca Loblaws.ca
Response
Communication Strategy: Sent an email to those affected by the breach
References
Blog URL Source URL

Frequently Asked Questions

According to Rankiteo, the current A.I.-based Cyber Score for Loblaw Companies Limited is 618, which corresponds to a Poor rating.

According to Rankiteo, the A.I. Rankiteo Cyber Score for March 2026 was 780.

According to Rankiteo, the A.I. Rankiteo Cyber Score for February 2026 was 780.

According to Rankiteo, the A.I. Rankiteo Cyber Score for January 2026 was 779.

According to Rankiteo, the A.I. Rankiteo Cyber Score for December 2025 was 778.

According to Rankiteo, the A.I. Rankiteo Cyber Score for November 2025 was 778.

According to Rankiteo, the A.I. Rankiteo Cyber Score for October 2025 was 777.

According to Rankiteo, the A.I. Rankiteo Cyber Score for September 2025 was 776.

According to Rankiteo, the A.I. Rankiteo Cyber Score for August 2025 was 775.

According to Rankiteo, the A.I. Rankiteo Cyber Score for July 2025 was 775.

According to Rankiteo, the A.I. Rankiteo Cyber Score for June 2025 was 773.

According to Rankiteo, the A.I. Rankiteo Cyber Score for May 2025 was 773.

Over the past 12 months, the average per-incident point impact on Loblaw Companies Limited’s A.I Rankiteo Cyber Score has been -57.0 points.

You can access Loblaw Companies Limited’s cyber incident details on Rankiteo by visiting the following link: https://www.rankiteo.com/company/loblaw-companies-limited.

You can find the summary of the A.I Rankiteo Risk Scoring methodology on Rankiteo by visiting the following link: Rankiteo Algorithm.

You can view Loblaw Companies Limited’s profile page on Rankiteo by visiting the following link: https://www.rankiteo.com/company/loblaw-companies-limited.

With scores of 18.5/20 from OpenAI ChatGPT, 20/20 from Mistral AI, and 17/20 from Claude AI, the A.I. Rankiteo Risk Scoring methodology is validated as a market leader.