Indigo website still offline nearly 1 week after cybersecurity incident
Company has likely fallen victim to ransomware attack, experts say
Almost a week after being hit with an apparent cyberattack, book retailer Indigo's website is still offline, leaving customers with more questions than answers.
The TSX-listed bookseller's website went dark on Wednesday, Feb. 8. Indigo's brick-and-mortar stores could not process any transactions that were not in cash, leaving anyone who wanted to return or buy an item using debit, credit or gift cards in the lurch.
Within hours, the company posted a message on its website, saying it "experienced a cybersecurity incident" and was communicating with customers via its social media channels.
Through the weekend, physical stores had regained most functionalities, except the ability to process returns after the company changed its in-store payment technology as part of its incident response.
But the website remains offline as of Tuesday afternoon, almost a week after it first went dark.
That's bad news for the company, as it makes it impossible to process any new sales online. But it's also bad news for customers, like Gabriel Lee, who ordered a gift for his girlfriend online last week that was scheduled to arrive last Friday; it's now stuck in transit on Valentine's Day, with no indication of when it might arrive.
"There's absolutely no way I can tell if it's coming, like, this week or next week," he told CBC News in an interview. "There's no timeline for it, so unfortunately, I'm going to just have to wait it out and see. And then see if they offer compensation … but I don't think they will."
Indigo said Tuesday in a statement posted to social media that customer debit and credit card information was not compromised.
Keeping you updated <a href="https://t.co/6H0dsyaeVd">pic.twitter.com/6H0dsyaeVd</a>—@chaptersindigo
The company has been relatively tight-lipped about what's happened, but multiple cybersecurity companies interviewed by CBC News say the incident has all the hallmarks of what's known as a ransomware attack. That's the term for when hackers infiltrate a company's internal systems, disable them, then demand a ransom to undo what they've done.
It's a growing problem. Statistics Canada says ransomware attacks amounted to 11 per cent of all cyber security incidents in 2021 — the most recent year for which up to date data is available.
Grocery chain Sobeys was a recent high-profile victim, with the company being hit by a ransomware attack in November that left the chain unable to fill prescriptions at the its pharmacies for four days, while other in-store functions, like self-checkout machines, gift-card use and the redemption of loyalty points, were offline for about a week.
In its most recent quarterly earnings, the company said the incident cost it about $25 million.
Cybersecurity expert Cat Coode says it's "very likely" that Indigo has been hit by something similar. The timing and duration of the outage suggests it's something external, she says, as does the sheer number of systems involved, including payment and inventory systems both in store and online.
"The fact that we see two separate and distinct systems that have gone down is an indication that this is a malicious attack and not an accident that's happened inside the company," she said.
Regardless of the cause, the longer the outage stretches on the worse the damage will be, says Daniel Tsai, a lecturer in law and business technology at University of Toronto and Toronto Metropolitan University.
"It's going to have an impact on their sales and reputation because consumers are really focused on the reliability of the site and if they can't go on ... guess what, they're not going to come back," he said in an interview. "The longer this goes on, the greater the punishment."
While she's confident the retailer is likely the victim of a ransomware attack, Coode is equally confident that it's unlikely sensitive consumer information, such as credit-card data, was stolen.
"Because there hasn't been an announcement that there has been a breach of personal information indicates likely that no one has taken the information out of the company," she said.
"The minute you say the word 'breach,' you fired off the alarm — you have to notify the privacy commissioner."
By law, Canadian companies that experience cybersecurity breaches where customer data is stolen are required to report the breach to the Office of the Privacy Commissioner of Canada "as soon as feasible."
In a statement to CBC News, the commissioner's office says it "is aware" of the situation at Indigo and is "in communication with the organization in order to obtain more information including a formal breach report, and to determine next steps."
"I am not in a position to provide any more information about this matter at this time," the spokesperson said on Friday.
CBC News reached out to the agency on Tuesday to see if that status has been updated.
Indigo spokesperson Melissa Perri said the company was continuing to work with third-party experts to investigate the situation and understand whether any customer data has been accessed.