Loblaw says customer names, phone numbers, and emails were exposed in cyber incident

Loblaw has told customers that a criminal third party accessed some basic personal information after suspicious activity was detected on a contained, non-critical part of its IT network. The company says the exposed data includes names, phone numbers, and email addresses, while its investigation has not found evidence that passwords, health information, or credit card data were compromised.

That makes this a limited but still important breach. Even when financial data is not exposed, names, email addresses, and phone numbers can still fuel phishing, fake customer support messages, and other fraud attempts. Loblaw has already logged customers out of its digital services as a precaution and says users must sign in again to regain access.

The company also says PC Financial was not affected. Reuters reported that Loblaw does not expect the incident to have a material impact on its financial performance, based on what it knows so far.

Loblaw is not a small target. The retailer describes itself as Canada’s food and pharmacy leader, with more than 2,800 locations and more than 220,000 employees, which helps explain why even a low-level breach draws national attention.

What happened

According to Loblaw, the incident began with suspicious activity detected on a limited part of its network. After investigating, the company concluded that an unauthorized third party accessed basic customer details. It has not publicly identified the attacker or explained how the intrusion happened.

So far, Loblaw’s public statements point to a narrower exposure than many recent retail cyber incidents. The company says there is no evidence that passwords, health data, or payment card information were compromised, which lowers the risk of direct account takeover or payment fraud. Still, customers should treat any unexpected emails, texts, or calls that mention Loblaw, PC Optimum, or related brands with caution.

What Loblaw says was exposed

Source: Loblaw public statements and Reuters reporting.

What customers should do now

Customers do not appear to need to replace payment cards based on the information released so far. They should, however, expect a higher chance of scam messages that use real names or claim urgency.

• Sign back into Loblaw digital services only through official apps or the company’s official website
• Change your password if you reuse it anywhere else
• Turn on two-factor authentication where available
• Ignore unexpected texts, calls, or emails asking for codes, payment details, or login information
• Watch for fake messages that mention account problems, rewards, refunds, or delivery issues
• Report suspicious messages instead of clicking links or downloading attachments

Why this breach matters

A breach does not need to expose credit cards to create risk. Contact information is valuable because it can help criminals build convincing phishing campaigns. A message that includes your name and refers to a retailer you actually use has a better chance of working.

This is also the kind of incident that can test customer trust more than operations. Loblaw says the affected network segment was non-critical, but customers will likely focus on one question: whether the company can fully contain the intrusion and keep follow-up scams from spreading.

Key takeaways

• Loblaw says a criminal third party accessed names, phone numbers, and email addresses
• The company says passwords, credit card data, and health information were not compromised
• Loblaw logged customers out of digital services as a precaution
• PC Financial was not impacted, according to the company
• Customers should stay alert for phishing attempts that use Loblaw branding

FAQ