Loblaw Data Breach Hackers Accessed IT Network and Customer Information

Canada’s largest food and pharmacy retailer has announced an ongoing investigation into a recent corporate data breach.

On March 10, 2026, the company notified its customers that unauthorized threat actors successfully infiltrated a segment of its IT network.

The security incident was discovered after Loblaw detected suspicious activity within its infrastructure. According to the company, the hackers compromised a contained, non-critical area of the network.

Despite the breach’s segmentation, the threat actors still managed to access customer records stored in that environment.

Following the initial discovery, Loblaw’s internal investigation confirmed that a criminal third party successfully exfiltrated basic customer contact information.

While the targeted systems did not handle primary operational workloads, they did store personal identifiers.

The compromised customer data includes:

First and last names.
Phone numbers.
Registered email addresses.

To alleviate immediate security concerns, Loblaw explicitly outlined the limitations of the intrusion.

The threat actors failed to move laterally into highly sensitive databases containing financial or medical records.

According to the company’s forensic investigation, the following information remains secure and uncompromised:

User passwords and login credentials.
Personal health and pharmacy information.
Credit card data and payment details.
PC Financial systems and linked accounts.

Upon detecting the unauthorized network access, Loblaw immediately triggered its internal security response protocols.

The company has secured the affected network segment and implemented containment measures to protect remaining customer data from further exposure.

As a direct defensive action, Loblaw is forcefully expiring active user sessions across its platforms. All customers will be automatically logged out of their digital accounts.

To regain access to Loblaw’s digital services, users must authenticate and log back in.

While passwords were not compromised during this incident, the exposure of names, email addresses, and phone numbers poses a secondary risk.

Security experts advise affected customers to remain vigilant against potential phishing campaigns and smishing (SMS phishing) attempts.

Threat actors frequently leverage this type of basic contact information to launch targeted social engineering attacks aimed at stealing broader credentials.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

Original article can be found here

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.