An unauthorized party obtained Petro-Points members’ basic contact information in a cybersecurity incident that happened roughly two weeks ago, the company said on Twitter Thursday.
It’s now warning customers to watch out for unusual emails and messages and to “confirm that any request to link, download, call someone or provide personal information is legitimate.”
“We regret this incident has happened and we appreciate your patience and understanding as we work to resolve the situation,” the company said.
The incident happened on or around June 21 when the “unauthorized party” accessed the company’s IT network, prompting Petro-Canada to disable its Petro-Points website and app, the company said.
One June 25, Suncor — Petro-Canada’s Calgary-based parent company — confirmed it had experienced a cybersecurity incident.
“It’s interesting that it’s taken them this length of time to figure out that some customer contact data was taken,” said Geoffrey Cann, a former Deloitte partner and trainer who helps the energy industry deal with digital change.
“My personal view is it’s taken a very long time to come around to this, and 10 days has already lapsed where people may have been contacted.”
In a statement Thursday, Suncor said the incident has not affected the safety or reliability of its field operations. The company said it is notifying Petro-Points members and privacy regulators about the incident and will update “affected parties” if it discovers additional information was accessed in the breach.
Petro-Canada says customers’ points balances are safe and that it will provide a credit for points earned during the outage.
Suncor did not immediately respond to CBC’s request for an interview on the subject.