Sobeys parent says total impact of cyber attack could be over $54 million

The parent company of the Canadian Sobey’s and FreshCo supermarket chains says the direct and indirect costs from last year’s cyber attack could add up to over $54 million, not including insurance payments.

Empire estimates, based on available information, that the final impact on net earnings over fiscal 2023 and fiscal 2024 will be approximately $32 million, net of estimated insurance recoveries.

The numbers are included in the latest quarterly results issued today by Empire Co.

Direct impact of the November attack on the company’s net earnings are estimated at $39 million after an unspecified amount of insurance payments are received. In addition, the estimated cost of related sales and impacts such as the temporary loss of advanced planning, promotion, and fresh item management tools, temporary closures of pharmacies and customers’ inability to redeem gift cards and loyalty points is $15 million.

To put that in perspective, IBM estimated the average cost of a data breach to a Canadian organization was $7 million.

The quarterly report refers to the attack as a cyber incident, although Bleeping Computer says evidence suggests the company was hit by the BlackBasta ransomware gang.

“Empire is in the process of working with its insurance providers to make claims under its policies,” the quarterly financial report says in part. “Due to the complexity of the cyber insurance coverage and related claims, there will be a time lag between the initial incurrence of costs and the recognition of insurance proceeds. While the impact of the cybersecurity event is substantially behind the company, management expects that there will be some additional costs incurred after the third quarter of fiscal 2023.”

What the financials call the “cybersecurity event adjustment” — the $39.1 million — includes the impact of incremental direct costs such as hardware and software restoration costs, legal and professional fees labour costs and inventory shrink.

“Management believes that the cybersecurity event adjustment results in a useful economic representation of the underlying business on a comparative basis,” the report says. “The adjustment does not include management’s estimate of the full financial impact of the cybersecurity event, as it excludes the net earnings impacts related to the estimated decline in sales and operational effectiveness from impacts such as the temporary loss of advanced planning, promotion and fresh item management tools, the temporary closure of pharmacies, and customers’ temporary inability to redeem gift cards and loyalty points.” That would be the estimated $15 million.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Featured Reads