Loblaw Faces Alleged Massive Data Breach as Threat Actor Demands Response
A threat actor operating under the handle "igotafeeling" on the DarkWeb Informer forum has claimed to have breached Loblaw, Canada’s largest food and pharmacy retailer, which owns brands like President’s Choice, No Frills, Shoppers Drug Mart, Real Canadian Superstore, and the PC Optimum loyalty program.
The actor alleges possession of over 1.8 billion records, including:
- 75.1 million Salesforce customer records (names, emails, phone numbers, addresses, loyalty IDs, and health card numbers)
- 724.9 million Shoppers Drug Mart records (passwords, tokens, loyalty IDs, payment details, and full credit card numbers with expiry dates)
- 129.9 million pharmacy fill requests (prescription numbers and patient IDs)
- 120.4 million e-commerce fraud-feed records (payment card BINs, last-four digits, and expiry dates)
- 20.2 million Delivery Ops Portal records (orders, deliveries, and postal codes)
- 3,014 GitLab projects containing Loblaw’s full source code
- 19.3 million Oracle identity records (MFA device details and credentials)
- 55.3 million marketing and email records across 673 tables
The threat actor has given Loblaw until March 19 to respond, accusing the company of "ghosting" them and dismissing customer and investor concerns. They have also invited media organizations to verify the data’s authenticity.
In response, Loblaw issued a March 12 press release, labeling the incident a "low-level data breach" and stating that only "basic customer information" (names, phone numbers, and emails) may have been accessed. The company explicitly denied evidence of financial or credit card data compromise directly contradicting the threat actor’s claims.
While the breach remains unverified, the scale of the alleged exposure if confirmed would rank among the largest in Canadian history. The situation mirrors past high-profile breaches (e.g., T-Mobile, Equifax, Capital One), where initial corporate statements downplayed impact before later revelations proved otherwise.
Loblaw customers with PC Optimum accounts, Shoppers Drug Mart loyalty cards, or prescription histories may be affected if the claims hold true. The deadline for Loblaw’s response is six days away.
No Frills cybersecurity rating report: https://www.rankiteo.com/company/no-frills
Shoppers Drug Mart cybersecurity rating report: https://www.rankiteo.com/company/shoppers-drug-mart
President's Choice Financial cybersecurity rating report: https://www.rankiteo.com/company/president's-choice-financial
Loblaw Companies Limited cybersecurity rating report: https://www.rankiteo.com/company/loblaw-companies-limited
"id": "NO-SHOPRELOB1773534483",
"linkid": "no-frills, shoppers-drug-mart, president's-choice-financial, loblaw-companies-limited",
"type": "Breach",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Potentially millions (PC '
'Optimum, Shoppers Drug Mart, '
'prescription users)',
'industry': 'Retail, Grocery, Pharmacy, Loyalty '
'Programs',
'location': 'Canada',
'name': 'Loblaw Companies Limited',
'size': 'Large (Canada’s largest food and pharmacy '
'retailer)',
'type': 'Retailer / Pharmacy'}],
'customer_advisories': 'Loblaw customers with PC Optimum accounts, Shoppers '
'Drug Mart loyalty cards, or prescription histories '
'advised to monitor for potential fraud',
'data_breach': {'data_exfiltration': 'Alleged (data sold on dark web if '
'claims are true)',
'number_of_records_exposed': '1.8 billion (alleged)',
'personally_identifiable_information': 'Yes (names, emails, '
'phone numbers, '
'addresses, health '
'card numbers, '
'prescription IDs)',
'sensitivity_of_data': 'High (PII, financial data, health '
'information, source code)',
'type_of_data_compromised': ['Customer records (names, '
'emails, phone numbers, '
'addresses, loyalty IDs)',
'Health card numbers',
'Pharmacy fill requests '
'(prescription numbers, patient '
'IDs)',
'Payment details (full credit '
'card numbers with expiry dates, '
'BINs, last-four digits)',
'Source code (GitLab projects)',
'MFA device details and '
'credentials (Oracle identity '
'records)',
'Marketing and email records']},
'date_publicly_disclosed': '2024-03-12',
'description': "A threat actor operating under the handle 'igotafeeling' on "
'the DarkWeb Informer forum has claimed to have breached '
'Loblaw, Canada’s largest food and pharmacy retailer. The '
'actor alleges possession of over 1.8 billion records, '
'including customer data, pharmacy records, payment details, '
"and source code. Loblaw has labeled the incident a 'low-level "
"data breach' and denied evidence of financial or credit card "
'data compromise.',
'impact': {'brand_reputation_impact': 'Potential significant impact if claims '
'are verified',
'data_compromised': 'Over 1.8 billion records allegedly exposed',
'identity_theft_risk': 'High (health card numbers, prescription '
'IDs, PII)',
'payment_information_risk': 'High (full credit card numbers with '
'expiry dates)',
'systems_affected': ['Salesforce',
'Shoppers Drug Mart systems',
'GitLab projects',
'Oracle identity systems',
'E-commerce platforms']},
'initial_access_broker': {'data_sold_on_dark_web': 'Alleged (if claims are '
'verified)'},
'investigation_status': 'Unverified (allegations under scrutiny)',
'motivation': 'Extortion (response demanded by March 19)',
'ransomware': {'data_exfiltration': 'Alleged'},
'references': [{'source': 'DarkWeb Informer forum (threat actor '
"'igotafeeling')"},
{'source': 'Loblaw Press Release (March 12)'}],
'response': {'communication_strategy': 'Press release downplaying the breach '
'and denying financial data '
'compromise'},
'threat_actor': 'igotafeeling',
'title': 'Alleged Massive Data Breach at Loblaw',
'type': 'Data Breach'}