Indigo's 'cybersecurity incident' stretches into third day as website still offline

Indigo Books & Music Inc. is dealing with a cybersecurity incident that has affected sales in-store and online, and at least one cybersecurity expert suggests it is likely because of ransomware.

Sales online can't be processed and sales in-store limited to cash only

A woman walks past the display window of an Indigo book store.
A woman walks past an Indigo bookstore in Laval, Que., on Nov. 4, 2020. The retailer has been hit by a 'cybersecurity incident' that is impacting sales online and in-store. (Ryan Remiorz/The Canadian Press)

Indigo Books & Music Inc. is dealing with what it calls a "cybersecurity incident" that has affected customer orders in-store and online.

It started at the Toronto-based retailer on Wednesday. As of Friday afternoon, Indigo's website was still offline.

"We are working with third-party experts to investigate and resolve the situation," the company said in a message posted on its website.

"Our hope is to have our systems back online as soon as possible."

Indigo says it can't process electronic payments, accept gift cards or deal with returns. But at one location in Toronto on Friday, the store was able to process credit and or debit transactions, but gift cards were still not operational.

A sign at an Indigo store in Toronto informing customers that debit and credit systems are working, but gift card payments are not.
At an Indigo store in Toronto on Friday, customers were informed by this sign that debit and credit payments are once again operations, but gift cards are not. (David Lao/CBC)

The company is responding to concerned customers via social media channels, and saying it is trying to "understand if customer data has been accessed."

The company hasn't given much detail about what is going on, but David Masson, director of enterprise security at cybersecurity firm Darktrace, says the sheer length of the problem suggests it wasn't an internal error, and rather an instance of ransomware, where hackers steal information, lock systems and demand a ransom to release them.

"Their point-of-sale system has gone down... and they've also said that they're unable to take returns anymore, which kind of implies that they're unable to bring stock back into the system."

If "just a small part of an organization is going down, it's probably not ransomware," he said. "But if it's more widespread, that's kind of a hint that it might be."

Ransomware "really does muck up your organization, and it's not going to get fixed in a few hours," he said. 

Latest retail attack

If it is ransomware, it means the company has joined a growing list of Canadian retailers to have fallen victim just in the past few months.

Sobeys parent company Empire Co. Ltd. recently grappled with a security breach that shut down its pharmacy services and other in-store functions.

The cybersecurity event in early November left customers unable to fill prescriptions for four days, while other in-store functions like self-checkout machines, gift card use and the redemption of loyalty points were offline for about a week.

Empire said in December the incident is expected to cost $25 million after insurance recoveries.

Enza Alexander, vice-president with cybersecurity firm ISA, is shown outside holding a handrail on a set of stairs.
Enza Alexander is a vice-president with ISA Cybersecurity. (ISA)

Enza Alexander, a vice-president at ISA Cybersecurity, says that while she has no first-hand knowledge of what's happening at Indigo, retailers are becoming popular targets for cybercriminals because of the rise of online shopping — and they're more noticeable when they happen because they are in the public eye.

"Financial gains [are] how the cybercriminals are generating dollars to feed their endeavours," she told CBC News.

The typical ransomware attack cost the typical target company a little over $4.5 million US last year, a recent report from IBM showed. But ISA says actual ransoms paid are often higher than whatever number gets attributed to them, because many organizations don't like to divulge that they even paid one at all due to the reputational and legal risk of admitting it.

While she says it's too early to tell what's happened at Indigo, her advice for consumers boils down to basic common sense.

"I've always advised people close to me 'You're one click away from making the wrong click,'" she said.

With files from the CBC's James Dunne

Add some “good” to your morning and evening.

A variety of newsletters you'll love, delivered straight to you.

Sign up now