Indigo’s e-commerce site first went offline on Feb. 8. Since then, the Toronto-based company has called in 'third-party experts' in an attempt to resolve the issue.Christopher Katsarov/The Globe and Mail
A “cybersecurity incident” that took down the website of Indigo Books & Music Inc. IDG-T continued for a sixth day on Tuesday, just the latest in a string of attacks on Canadian organizations and an example of a growing concern across the retail industry.
Indigo’s e-commerce site first went offline on Feb. 8. Since then, the Toronto-based company has called in “third-party experts” in an attempt to resolve the issue, according to a statement. The retailer changed its in-store payment technology in order to resume accepting debit and credit card payments as well as gift cards – which they were unable to do at first.
But the chain remained unable to accept exchanges or returns, or online orders, and could not provide e-commerce customers any information on the status of their purchases. Customers who shopped in stores reported being unable to find merchandise on the shelves because computers used to search for items’ locations were also down.
“As part of our ongoing investigation, we can now confirm that customer credit and debit card information was not compromised,” said a statement provided by Indigo spokesperson Melissa Perri on Tuesday. “We do not store full credit or debit card numbers in our systems. We can also confirm that customer Plum points remain intact and unaffected.”
Indigo cybersecurity incident highlights mounting prevalence, sophistication of hackers, experts say
The Globe 100: The best books of 2022
The disruption at Indigo, after other high-profile incidents in recent months, further highlights the increasing costs of cybersecurity for businesses and public-sector organizations. While retailers are not alone in facing such threats, they are particularly vulnerable as highly visible companies that process reams of credit card data and other valuable customer information.
Just last month, the Liquor Control Board of Ontario reported a “cybersecurity incident” that knocked its website and mobile application offline. And in November, grocery retailer Empire Co. Ltd., whose store chains include Sobeys, Safeway, IGA and FreshCo, also suffered a breach that shut down a number of operations for roughly a week, including self-checkout terminals, gift cards and redemption of loyalty points. In December, Empire estimated the “cybersecurity incident” would end up costing the company roughly $25-million, after payouts from insurance coverage it holds for such events.
A Statistics Canada survey of more than 12,000 companies found that one in five experienced a cybersecurity incident in 2021. And costs of these threats are rising even for businesses that do not experience a breach: In the same survey, Canadian businesses reported total expenses of $9.7-billion to detect or prevent cybersecurity incidents in 2021, more than three times what they spent in 2019.
Indigo’s new CEO plans to sell $450 pizza ovens and collagen face mists at the bookstore
“The people that are behind these cybersecurity attacks have got their hands on an incredibly lucrative business,” said Charles Finlay, executive director of the Rogers Cybersecure Catalyst at Toronto Metropolitan University. “There is no room for surprise any more for that reason alone. Ransomware attacks, stealing customers’ data and selling it on the dark web is not only common, but it is very much a booming business.”
Similar to other companies that have experienced such issues recently, Indigo did not specify the nature of the outage, referring to it only as a “cybersecurity incident.”
Lisa Kearney, chief executive officer of the Women CyberSecurity Society Inc., said it can be a difficult and lengthy process to restore functionality after such incidents. It may take longer if organizations aren’t prepared for a breach, or if they haven’t been adding enough resources toward prevention in the long run, she said.
“In many cases, a complete digital forensics investigation will need to be performed, which can take several weeks to several months to determine the root cause and who is responsible,” Ms. Kearney said.
Despite their size of operations, businesses should not underestimate the potential for breaches, and must implement disaster recovery plans, she said. “It’s not something you want to be thinking of last minute.”
Susan Krashinsky Robertson
Temur Durrani