Loblaw responds to claims that it's downplaying recent data breach affecting Canadians
If you shop at Loblaw-owned stores, you could have been affected by a recent data breach.
On March 10, Canada’s largest grocer and pharmacy retailer notified customers that it’s investigating a “low-level data breach.”
“After identifying suspicious activity on a contained, non-critical part of its IT network, the Company has determined that a criminal third-party accessed some basic customer information such as names, phone numbers, and email addresses,” reads the notice.
If you were suddenly logged out of your PC Optimum app and other Loblaw apps that use PCid, don’t be alarmed.
The company said it secured its network and customer information as part of its security response protocol. This means that all customers were automatically logged out of their accounts and will therefore need to log back in if they want to access the company’s digital services.
“By logging back in, you have successfully re-authenticated your account. Your account is secure, and we apologize for any inconvenience this temporary interruption may have caused,” reads another notice from the grocer on March 10.
Users received the notification about the data breach on the PC Optimum app.
PC Optimum app
Loblaw assured customers that its current investigation indicates that passwords, health information and credit card data were not compromised. It added that PC Financial was not impacted by the cyberattack.
Lastly, the grocer said stores, payment systems, and operations were not impacted by the data breach.
However, cybercrime tracker Dark Web Informer alleges that the data breach is much wider in scope than the company has shared.
In a post on X on March 13, Dark Web Informer found that a hacker is allegedly threatening to publicly leak all data if the company does not respond by March 19.
‼️🇨🇦 A threat actor claims to have breached Loblaw, Canada’s largest food and pharmacy retailer, threatening to publicly leak all data if the company does not respond by March 19th.
The allegedly exfiltrated data includes 75.1M Salesforce customer PII records, 724.9M Shoppers… pic.twitter.com/P0QnkB1Q5X
— Dark Web Informer (@DarkWebInformer) March 13, 2026
The data breach allegedly includes the personal information of 75.1 million Salesforce customers, 724.9 million Shoppers Drug Mart Hybris rows with payment info and credit card details, 129.9 million pharmacy fill request records with prescription numbers and patient IDs, 120.4 million e-commerce fraud-feed records, 20.2 million Delivery Ops Portal rows, 3,014 GitLab projects with full source code, 19.3 million Oracle IDCS user identity records, and 55.3 million SFMC marketing/email records across 673 tables.
The hacker claims the grocery giant is downplaying the cyberattack.
@DarkWebInformer/X
In an email statement to Daily Hive, Loblaw reiterated that no passwords, health information or credit card data were impacted in the breach, and there is no impact to operations. It did not verify the claims shared by the cybercrime tracker.
“We do not have anything additional to add to our statement as the investigation continues, including responding to new threats from cyber criminals,” stated the spokesperson.
The company also did not specify how many Canadians were impacted by the data breach.
Loblaw is the parent company of Shoppers Drug Mart, No Frills, Loblaws, and Real Canadian Superstore. It’s one of the largest retailers and private sector employers in Canada, with over 220,000 colleagues across the country.
“The Company will provide further updates as necessary as the investigation progresses,” reads a notice.