Canadian oil giant Suncor confirms cyberattack after countrywide outages

The Canadian oil giant Suncor has confirmed that a cyberattack was the cause of widespread outages that ground services to a halt throughout the weekend.

The issues began on Friday, when customers reported problems logging into the app and website for Petro-Canada, a gas station chain owned by Suncor. Employees told CTV News on Saturday that they could only accept cash at a number of gas stations.

Problems were reported across Calgary, Ottawa, Toronto and in several other major cities in Canada. Petro-Canada eventually took to Twitter on Saturday night to acknowledge the outages and confirm that they were being addressed.

The company did not respond to requests for comment but released a statement on Sunday night attributing the outages to a cyberattack.

“Suncor has experienced a cyber security incident. The company is taking measures and working with third-party experts to investigate and resolve the situation, and has notified appropriate authorities,” the company said.

“At this time, we are not aware of any evidence that customer, supplier or employee data has been compromised or misused as a result of this situation. While we work to resolve the incident, some transactions with customers and suppliers may be impacted.”

The company did not respond to requests for comment about whether it was a ransomware attack or when service would return to normal.

Customers flooded social media to complain about the outages, sharing photos of gas pumps that could not take cards.

Suncor has made several public pledges over the last year centered on leading an effort to improve cybersecurity in the oil and gas sector. In World Economic Forum events this year and last year, the company joined several others in signing a Cyber Resilience Pledge that included several cybersecurity commitments.

The pledges explicitly reference the attack on Colonial Pipeline, which faced similar problems in 2021 and precipitated a White House-led push to address widespread cybersecurity deficiencies across critical industries.

Earlier this year, a cybersecurity incident involving a Canadian pipeline and Russian hackers was revealed in leaked U.S. intelligence documents, which a senior Canadian cyber official characterized as a “call to action.”

Cybersecurity firm Dragos tracked at least 21 ransomware attacks on oil and gas companies in 2022, and most recently Shell dealt with a data breach connected to the exploitation of the MOVEit file transfer tool.