Petro-Canada payment problems continue, but company says it’s ‘making progress’ on fix

Petro-Canada says the nearly weeklong problems that customers have experienced with things like payment and loyalty programs at the gas station chain are ongoing, but it is making progress on solving them.

Problems at the company started about a week ago, when on Friday reports suggested that parent company Suncor had been hacked. Over the weekend, Suncor acknowledged it had experienced a “cybersecurity incident” and stressed that while it was confident that no customer or employee data had been stolen, “some transactions with customers and suppliers may be impacted.”

One of the first places where such disruptions were found was at Petro-Canada, where the chain of more than 1,500 locations across the country had problems processing debit and credit payments. Other services such as the loyalty program app Petro-Points and a car wash-related service have also been impacted.

“As we are working to resolve the incident there have been customer and supplier transactions impacted,” a spokesperson for the company told CBC News on Thursday. “We are making progress and continuing to respond to the incident.”

Petro-Canada said on Twitter that it is “making progress on resolving the disruptions customers have been experiencing and will continue to update you as more services come back online.

“We apologize for the inconvenience this has caused, and we thank you for your patience.”

WATCH | Customers confused and concerned by outage:

Customers concerned by Petro-Canada outage

Filling up at gas stations in Toronto, drivers told CBC News that the cybersecurity incident that has knocked out credit and debit payments at Petro-Canada for several days now is not only inconvenient, it’s also troubling.

Customers filling up told CBC News the incident was inconvenient, but also concerning.

Ella Lee-O’Rourke tried to fill up at a station in Toronto this week and wanted to pay with a card, but had to revert to only buying $20 worth because she happened to have a cash bill on her.

“Nobody carries cash around,” she said. “I”m probably not going to come here for a while again, because I could just go somewhere else that can accept my card.”

Ben Abouakr tried to fill up at a Petro-Canada station in Toronto, but couldn’t so he went to a nearby Shell instead.

“I saw the piece of paper on the pumps saying cash only,” he told CBC News. “It must be something — for three days? It’s more than a technical issue.”

Could be ‘massive problem’

Suncor has yet to tie the cybersecurity incident to problems at Petro-Canada, or even say what type of incident it was, but Ian Paterson, the CEO of cybersecurity firm Plurilock, says the incident does bear some of the telltale signs of being a “ransomware” attack, where nefarious actors seek access to a company’s network and then hold it hostage in exchange for payment.

He cautions, however, that it may not be.

“If a company is taking down systems voluntarily to try to figure out what happened, it would actually look very similar to a ransomware attack,” Paterson said.

Those attacks often happen when the hackers think there may be a vulnerability of some sort, so they often happen during down times such as over holidays, or headed into a weekend.

“Seeing something take place on a Thursday or Friday is not surprising,” he said.

Whatever the cause, given how long the outage has already gone on for, he thinks the company has a “massive problem” on its hands.

“If there is an attack this widespread it’s going to be time consuming and expensive,” he said.

Reputational damage

Jon Ferguson, general manager of cybersecurity at the Canadian Internet Registration Authority, agrees that the impact of this cybersecurity incident is likely to be a long one for the company

One of the challenges is it’s a large organization, he said.

“If they have to go in and modify critical systems, that can take a very long time to recover, depending on what’s damaged,” Ferguson told The Canadian Press.

“And then there’s the cost of disruption. I have no idea how much gas Petro-Canada didn’t sell because people didn’t have cash.”

There’s also the cost of the damage to the company’s reputation, he said, “which is very hard to measure, but you’re probably going to think twice before you slip your credit card into a Petro-Canada gas machine now.”

Companies hit by cybersecurity incidents

The incident is just the latest cybersecurity breach to make headlines of late. In February, retailer Indigo was hit by a ransomware attack that wiped out credit and debit payments for days and the online store for almost a month.

And in 2021, American pipeline company Colonial Pipeline was knocked offline after hackers infiltrated the company’s systems. That attack shut the flow of gasoline across the key pipeline that supplies the eastern seaboard, leading to widespread shortages.

a truck owned by the colonial pipeline is shown
The Colonial Pipeline was knocked offline by hackers for several days in 2021, walloping gasoline markets. (Hussein Waaile/Reuters)

Last week, the Canadian Centre for Cyber Security warned that ransomware attacks — where hackers gain access to a company’s internal system and demand payment in exchange for giving it back to them — was the No. 1 cyber threat facing Canada’s oil and gas sector.

“Ransomware is almost certainly the primary cyber threat to the reliable supply of oil and gas to Canadians,” the centre said.

Last year, Suncor was one of two dozen oil and gas companies that signed the Cyber Resilience Pledge, a vow to beef up cybersecurity, following the hack of the Colonial Pipeline the year prior.