Indigo outage nears one-week mark, becomes latest Canadian company to face cyber attack

A “cybersecurity incident” that brought down Indigo Books & Music Inc.’s website. IDG-T continued for a sixth day Tuesday, just the latest in a series of attacks targeting Canadian organizations and an example of growing concern across the retail industry.

Indigo’s e-commerce site first went offline on February 8th. Since then, the Toronto-based company has called in “third-party experts” to solve the problem, it said in a statement. The retailer changed its in-store payment technology to resume accepting debit and credit card payments, as well as gift cards – which it was initially unable to do.

However, the chain remained unable to accept exchanges or returns or online orders, and was unable to provide e-commerce customers with information on the status of their purchases. Customers shopping in stores reported being unable to find goods on the shelves because computers used to look up the locations of items also broke down.

“As part of our ongoing investigation, we can now confirm that customer credit and debit card information has not been compromised,” Indigo spokeswoman Melissa Perri said in a statement Tuesday. “We do not store full credit or debit card numbers in our systems. We can also confirm that customers’ plum points remain intact and unaffected.”

The Indigo cybersecurity incident underscores the increasing prevalence and sophistication of hackers, experts say

The Globe 100: The Best Books of 2022

The hiatus at Indigo, following other high-profile incidents in recent months, underscores the rising costs of cybersecurity for businesses and public sector organizations. While retailers aren’t the only ones exposed to such threats, they are particularly vulnerable as highly visible businesses that process reams of credit card data and other valuable customer information.

Just last month, the Liquor Control Board of Ontario reported a “cybersecurity incident” that threw its website and mobile application offline. And in November, food retailer Empire Co. Ltd., whose chain stores include Sobeys, Safeway, IGA and FreshCo, also suffered a breach that shut down a number of operations for about a week, including self-checkout terminals, gift cards and redemptions loyalty points. In December, Empire estimated that the “cybersecurity incident” would ultimately cost the company around $25 million, after paying out insurance coverage it holds for such events.

A Statistics Canada survey of more than 12,000 companies found that one in five companies experienced a cybersecurity incident in 2021. And the costs of these threats are increasing even for companies that don’t experience a breach: In the same survey, Canadian companies reported a total cost of $9.7 billion to detect or prevent cybersecurity incidents in 2021, more than triple what it was they spent in 2019.

Indigo’s new CEO plans to sell $450 in pizza ovens and collagen facial sprays at the bookstore

“The people behind these cybersecurity attacks have gotten their hands on an incredibly lucrative business,” said Charles Finlay, executive director of Rogers Cybersecure Catalyst at Toronto Metropolitan University. “For that reason alone, there is no longer any room for surprises. Ransomware attacks, stealing customer data and selling it on the dark web is not only common, it’s a booming business.”

Similar to other companies that have recently faced such issues, Indigo has not disclosed the nature of the outage, only describing it as a “cybersecurity incident.”

Lisa Kearney, chief executive officer of the Women CyberSecurity Society Inc., said that restoring functionality after such incidents can be a difficult and lengthy process. It may take longer if companies aren’t prepared for a breach or haven’t dedicated enough resources to prevention over the long term, she said.

“In many cases, a full digital forensic investigation needs to be conducted, which can take several weeks to several months, to determine the root cause and who is responsible,” Ms Kearney said.

Despite their operational size, companies should not underestimate the potential for breaches and implement disaster recovery plans, she said. “It’s not something you want to think about at the last minute.”