It’s been a nerve-wracking and uncertain last number of days for cannabis retailers operating across Ontario in the wake of communication from the Ontario Cannabis Store (OCS) that a potential data breach may have occurred during a cyberattack on the systems of its third-party logistics partner.
Halt on Deliveries
As a result of the attack, the OCS has halted all deliveries to its customers and stores for an indefinite amount of time. The sole distributor of cannabis products in the province has said that it doesn’t believe that there is any indication that OCS customer data has been compromised as a result of the attack. However, it has made the decision “out of an abundance of caution to protect OCS and its customers” to stop all deliveries.
It’s a decision that may be the only one that the Crown corporation could have made under the current circumstances. However, it’s one that is placing the viability of an estimated 1,333 cannabis stores in Ontario in serious jeopardy. In fact, according to Alex Boxall, Director of Sales and Operations at Relm Cannabis Co. in Burlington, Ontario, the significance of the impact that this delivery disruption will ultimately have on businesses is yet to be fully grasped.
“All Cannabis retailers are being affected by this halt on deliveries,” he says. “And, it’s very difficult to determine exactly how affected we’ve been to this point. As the current global supply chain issues have shown, any supply chain interruption of this nature has major and far-reaching repercussions, both for businesses, as well as consumers. It will be days, if not weeks, before we fully understand the effect that this has had on our businesses.”
Impacting Retail Operations
The cyberattack, which occurred on Friday, August 5, targeted Domain Logistics – a third-party distribution centre – and was reported to cannabis retailers three days later on Monday, August 8. It’s blown inventory management practices completely out of reason and has left many scrambling for alternative solutions to minimize the damage that the delivery delay may cause.
Delays are also impacting the experience that many cannabis retailers pride themselves on offering, potentially souring the perception of some consumers, impacting their loyalty. In fact, according to Boxall, the cause and effect of such a situation is glaringly evident for merchants operating within the industry.
“The obvious ramifications for any business dealing with an extended supply chain disruption is a lack of new product, which usually causes a downturn in consumer satisfaction,” he asserts. “Consumers have become accustomed to a large variety of offerings, and popular products will sell through quickly.”
Driver of Elicit Sales?
Selling through product quickly during this delay will not only impact the operations and sales performance of retail establishments, some experts are suggesting that it could drive many to make cannabis purchases by way of elicit means, likely resulting in a spike in the illegal cannabis market in the province.
Domain Logistics has not yet offered any comment concerning the potential breach of customer data. Further, the OCS has yet to offer any inclination as to when normal delivery service to customers and retail cannabis stores will resume. However, The Canadian Press obtained a letter sent by the OCS to cannabis retailers operating in Ontario which stated that “as a goodwill gesture,” the Crown corporation has offered to waive all retailer delivery fees until September 30, 2022. In addition, it’s waiving one $500 emergency order processing fee per store on orders made between September 1, 2022 and March 31, 2023.
The Need to Protect
Although it’s “goodwill” that may serve to alleviate some of the pressures that have been placed on cannabis retailers as a result of the delivery disruption, it doesn’t address the very serious issue at hand, which is the cyberattack and potential compromise of hundreds of thousands of customer data. And, it’s not the first time it’s happened.
OCS systems suffered a similar attack back in 2018, during which data was, indeed, compromised. And, according to retail industry veteran and loss prevention expert, Stephen O’Keefe, it’s an issue that the province’s sole purveyor of cannabis and proprietor of customer data must eradicate immediately.
“This is a great example highlighting the fact that the biggest concern for retailers and other businesses is not necessarily protecting their own first-party data,” he suggests. “Although it’s an incredibly important piece of protection, they should also make sure that the data they possess does not reside anywhere else if it’s not absolutely necessary. Otherwise, as we see in this case, businesses are as susceptible as their partners systems are secure.”
O’Keefe goes on to suggest further that the attack should draw attention to the need for oversight and auditing programs that can help businesses manage risks more effectively.
“Unfortunately, when left to their own accord, many businesses struggle to implement and maintain the right processes needed to properly protect the company’s assets, including vital customer data,” he says. “It’s an area of the business, especially given the accelerated digitization of the industry, that requires expert guidance and advice. And, from a business continuity perspective, vulnerabilities to attacks of this nature could be identified by the development and adherence to effective risk assessment and contingency plans.”
Despite these words of wisdom, cannabis retailers throughout Ontario continue to wait on updates from the OCS concerning the halt on deliveries and when normal service might resume. And, they watch, unable to influence circumstances as inventories dwindle, customers become frustrated and opportunities to capitalize on a growing market fade.