The Indigo website is still offline almost a week after the cybersecurity incident

A package from Indigo's website was shown in a shipping processing facility last December.  The company was hit by a cybersecurity incident that made it impossible to make or close sales online for about a week.  (Evan Mitsui/CBC - photo credit)

A package from Indigo’s website was shown in a shipping processing facility last December. The company was hit by a cybersecurity incident that made it impossible to make or close sales online for about a week. (Evan Mitsui/CBC – photo credit)

Almost a week after being hit by an apparent cyberattack, bookseller Indigo’s website is still offline, leaving customers with more questions than answers.

The TSX-listed bookseller’s website went dark on Wednesday, February 8th. Indigo’s brick-and-mortar stores couldn’t process non-cash transactions, leaving anyone looking to return or buy an item with a debit, credit, or gift card stranded.

Within hours, the company posted a message on its website saying it had “experienced a cybersecurity incident” and communicated with customers through its social media channels.

During the weekend, physical stores had regained most functionality, except for the ability to process returns, after the company changed its in-store payment technology as part of its incident response.

But the site remains offline as of Tuesday afternoon, almost a week after it first got dark.

That’s bad news for the company, as it’s impossible to process new sales online. But it’s also bad news for customers like Gabriel Lee, who ordered a gift for his girlfriend online last week that was supposed to arrive last Friday; It’s now stuck in transit on Valentine’s Day with no indication of when it might arrive.

“I absolutely can’t tell if it’s coming this week or next week,” he told CBC News in an interview. “There’s no timeline for that so unfortunately I’ll just have to wait and see. And then see if they offer compensation…but I don’t think they will.”

Indigo said in a statement released on social media on Tuesday that customer debit and credit card information was not compromised.

The company has been relatively tight-lipped about what happened, but several cybersecurity firms interviewed by CBC News say the incident has all the hallmarks of a so-called ransomware attack. That’s the term for when hackers infiltrate a company’s internal systems, disable them, and then demand a ransom to undo what they’ve done.

It’s a growing problem. According to Statistics Canada, ransomware attacks accounted for 11 percent of all cybersecurity incidents in 2021 — the most recent year for which current data is available.

growing problem

Grocery chain Sobeys was a recent high-profile victim, as the company was hit by a ransomware attack in November that left the chain unable to fill prescriptions at its pharmacies for four days while using other in-store features such as self-checkout, using gift cards and redeeming loyalty points was offline for about a week.

In its most recent quarterly results, the company said the incident cost it about $25 million.

Cybersecurity expert Cat Coode says it’s “very likely” that Indigo was hit by something similar. The timing and duration of the outage suggest it’s something external, she says, as does the sheer number of systems involved, including payment and inventory systems both in-store and online.

One for the Wall, Inc.

One for the Wall, Inc.

“The fact that two separate and distinct systems went down is an indication that it was a malicious attack and not an accident that occurred within the organization,” she said.

Whatever the cause, the longer the outage, the greater the damage, says Daniel Tsai, associate professor of law and business technology at the University of Toronto and Toronto Metropolitan University.

“It’s going to affect their sales and their reputation because consumers are really focused on the reliability of the site and if they can’t keep going… guess what, they’re not going to come back,” he told an interview. “The longer this goes on, the greater the penalty.”

While she’s confident the retailer was likely the victim of a ransomware attack, Coode is equally confident that sensitive consumer information, like credit card details, is unlikely to have been stolen.

“Because there has been no announcement of a personal data breach, it likely indicates that no one removed the information from the company,” she said.

“The moment you say the word ‘breach’ you’ve sounded the alarm – you need to notify the data protection officer.”

By law, Canadian companies that experience cybersecurity breaches in which customer data is stolen are required to report the breach to the Office of the Data Protection Commissioner of Canada “as soon as possible”.

In a statement to CBC News, the commissioner’s office says it is “aware” of the situation at Indigo and is “in communication with the organization for further information, including a formal violation report, and to determine next steps.” .

“I am currently unable to provide any further information on this matter,” the spokesman said on Friday.

CBC News reached out to the agency on Tuesday to see if that status has been updated.

Indigo spokeswoman Melissa Perri said the company is continuing to work with outside experts to investigate the situation and understand whether customer data has been accessed.


Show More

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button