Nearly every week after being hit with an obvious cyberattack, e-book retailer Indigo’s web site continues to be offline, leaving prospects with extra questions than solutions.
The TSX-listed bookseller’s web site went darkish on Wednesday, Feb. 8. Indigo’s brick-and-mortar shops couldn’t course of any transactions that weren’t in money, leaving anybody who needed to return or purchase an merchandise utilizing debit, credit score or reward playing cards within the lurch.
Inside hours, the corporate posted a message on its web site, saying it “skilled a cybersecurity incident” and was speaking with prospects by way of its social media channels.
By way of the weekend, bodily shops had regained most functionalities, besides the power to course of returns after the corporate modified its in-store cost expertise as a part of its incident response.
However the web site stays offline as of Tuesday afternoon, nearly every week after it first went darkish.
That is dangerous information for the corporate, because it makes it unattainable to course of any new gross sales on-line. Nevertheless it’s additionally dangerous information for purchasers, like Gabriel Lee, who ordered a present for his girlfriend on-line final week that was scheduled to reach final Friday; it is now caught in transit on Valentine’s Day, with no indication of when it’d arrive.
“There’s completely no means I can inform if it is coming, like, this week or subsequent week,” he instructed CBC Information in an interview. “There is not any timeline for it, so sadly, I’ll simply have to attend it out and see. After which see if they provide compensation … however I do not assume they are going to.”
Indigo stated Tuesday in an announcement posted to social media that buyer debit and bank card data was not compromised.
Holding you up to date <a href=”https://t.co/6H0dsyaeVd”>pic.twitter.com/6H0dsyaeVd</a>
—@chaptersindigo
The corporate has been comparatively tight-lipped about what’s occurred, however a number of cybersecurity firms interviewed by CBC Information say the incident has all of the hallmarks of what is referred to as a ransomware assault. That is the time period for when hackers infiltrate an organization’s inner programs, disable them, then demand a ransom to undo what they’ve finished.
It is a rising drawback. Statistics Canada says ransomware assaults amounted to 11 per cent of all cyber safety incidents in 2021 — the latest yr for which updated information is obtainable.
Rising drawback
Grocery chain Sobeys was a latest high-profile sufferer, with the corporate being hit by a ransomware assault in November that left the chain unable to fill prescriptions on the its pharmacies for 4 days, whereas different in-store capabilities, like self-checkout machines, gift-card use and the redemption of loyalty factors, had been offline for a couple of week.
In its most up-to-date quarterly earnings, the corporate stated the incident value it about $25 million.
Cybersecurity skilled Cat Coode says it is “very possible” that Indigo has been hit by one thing comparable. The timing and length of the outage suggests it is one thing exterior, she says, as does the sheer variety of programs concerned, together with cost and stock programs each in retailer and on-line.
“The truth that we see two separate and distinct programs which have gone down is a sign that this can be a malicious assault and never an accident that is occurred inside the corporate,” she stated.
Whatever the trigger, the longer the outage stretches on the more serious the harm can be, says Daniel Tsai, a lecturer in legislation and enterprise expertise at College of Toronto and Toronto Metropolitan College.
“It is going to have an effect on their gross sales and popularity as a result of shoppers are actually targeted on the reliability of the location and if they cannot go on … guess what, they are not going to return again,” he stated in an interview. “The longer this goes on, the higher the punishment.”
Whereas she’s assured the retailer is probably going the sufferer of a ransomware assault, Coode is equally assured that it is unlikely delicate client data, reminiscent of credit-card information, was stolen.
“As a result of there hasn’t been an announcement that there was a breach of private data signifies possible that nobody has taken the data out of the corporate,” she stated.
“The minute you say the phrase ‘breach,’ you fired off the alarm — you need to notify the privateness commissioner.”
By legislation, Canadian firms that have cybersecurity breaches the place buyer information is stolen are required to report the breach to the Workplace of the Privateness Commissioner of Canada “as quickly as possible.”
In an announcement to CBC Information, the commissioner’s workplace says it “is conscious” of the state of affairs at Indigo and is “in communication with the group as a way to acquire extra data together with a proper breach report, and to find out subsequent steps.”
“I’m not able to offer any extra details about this matter at the moment,” the spokesperson stated on Friday.
CBC Information reached out to the company on Tuesday to see if that standing has been up to date.
Indigo spokesperson Melissa Perri stated the corporate was persevering with to work with third-party specialists to research the state of affairs and perceive whether or not any buyer information has been accessed.
