Petro-Canada says that most of its gas stations are once again able to accept credit and debit card payments, as the recovery process continues after parent company Suncor Energy was hit by a cyber attack in late June.
Ransomware is heavily suspected, but not yet confirmed in the cyber attack that sent Petro-Canada gas stations into “cash only” mode for several days. The chain is the retail arm of one of Canada’s largest gasoline producers, with more than a thousand locations across the nation. While most stations can reportedly now take credit card payments again, customers should anticipate that some here and there might still be dealing only in cash and that loyalty points may not be available.
Gas stations recovering card payments, but loyalty and pass program access remains spotty
In the final days of June, many customers were taken by surprise when they pulled into Petro-Canada gas stations only to find “cash only” signs flying. The issue was not uncommon as the chain is one of the largest in the country.
As of early July, things appear to be getting back on track. However, customers may still have issues with their loyalty program points and season passes for car washes that they may have purchased. The gas stations allow customers to pay for fuel-ups and other items with their loyalty points, and that functionality was taken out along with the card payment systems after the cyber attack hit Suncor.
While it remains unclear who the culprits were, a Canadian intelligence agency (the Communications Security Establishment) issued a public warning regarding the oil and gas industry just a few days before the cyber attack. The agency said that non-state (but apparently quite nationalist) threat actors were planning to target the industry, particularly the consumer end of it (such as gas stations), as a means of reducing general public support for Canadian aid to Ukraine. State-backed Russian hacking teams definitely have a documented interest in attacking Canada’s gas supply, but they tend to be interested more in pipelines than retail pumps.
Cyber attack reportedly did not impact personal information
There has not been a major update from Suncor since its initial press release a week ago, but the company has said that no personal information was compromised in the attack. If that is true, it appears to be a fairly straightforward ransomware attack without data exfiltration or extortion.
As to how a ransomware attack on Suncor might have led to the payment systems at gas stations being locked up, the likely culprit is a Windows system that manages the pumps. Gas pumps have shipped with Windows since at least 2006, and Linux-based pump management systems have even been spotted in the wild in recent years. Unfortunately, some of these pumps are running extremely outdated versions of Windows (such as CE and XP) and are not designed to be upgraded.
There appears to also be some connection to the loyalty program along these lines, as customers were not able to earn or use points during much of the recovery period, or even to log into their accounts online. And those that purchased carwash season passes, which allow for several months of daily washes for a flat price, were also not able to make use of the benefit.