Virtually every week after being hit with an obvious cyberattack, e-book retailer Indigo’s web site remains to be offline, leaving prospects with extra questions than solutions.
The TSX-listed bookseller’s web site went darkish on Wednesday, Feb. 8. Indigo’s brick-and-mortar shops couldn’t course of any transactions that weren’t in money, leaving anybody who needed to return or purchase an merchandise utilizing debit, credit score or reward playing cards within the lurch.
Inside hours, the corporate posted a message on its web site, saying it “skilled a cybersecurity incident” and was speaking with prospects through its social media channels.
Via the weekend, bodily shops had regained most functionalities, besides the power to course of returns after the corporate modified its in-store fee expertise as a part of its incident response.
However the web site stays offline as of Tuesday afternoon, nearly every week after it first went darkish.
That is unhealthy information for the corporate, because it makes it unattainable to course of any new gross sales on-line. Nevertheless it’s additionally unhealthy information for patrons, like Gabriel Lee, who ordered a present for his girlfriend on-line final week that was scheduled to reach final Friday; it is now caught in transit on Valentine’s Day, with no indication of when it would arrive.
“There’s completely no approach I can inform if it is coming, like, this week or subsequent week,” he instructed CBC Information in an interview. “There is not any timeline for it, so sadly, I’ll simply have to attend it out and see. After which see if they provide compensation … however I do not suppose they may.”
Indigo mentioned Tuesday in an announcement posted to social media that buyer debit and bank card info was not compromised.
Conserving you up to date <a href=”https://t.co/6H0dsyaeVd”>pic.twitter.com/6H0dsyaeVd</a>
The corporate has been comparatively tight-lipped about what’s occurred, however a number of cybersecurity corporations interviewed by CBC Information say the incident has all of the hallmarks of what is generally known as a ransomware assault. That is the time period for when hackers infiltrate an organization’s inner techniques, disable them, then demand a ransom to undo what they’ve carried out.
It is a rising downside. Statistics Canada says ransomware assaults amounted to 11 per cent of all cyber safety incidents in 2021 — the newest 12 months for which updated information is offered.
Grocery chain Sobeys was a latest high-profile sufferer, with the corporate being hit by a ransomware assault in November that left the chain unable to fill prescriptions on the its pharmacies for 4 days, whereas different in-store features, like self-checkout machines, gift-card use and the redemption of loyalty factors, had been offline for a few week.
In its most up-to-date quarterly earnings, the corporate mentioned the incident price it about $25 million.
Cybersecurity skilled Cat Coode says it is “very doubtless” that Indigo has been hit by one thing related. The timing and length of the outage suggests it is one thing exterior, she says, as does the sheer variety of techniques concerned, together with fee and stock techniques each in retailer and on-line.
“The truth that we see two separate and distinct techniques which have gone down is a sign that it is a malicious assault and never an accident that is occurred inside the corporate,” she mentioned.
Whatever the trigger, the longer the outage stretches on the more severe the harm shall be, says Daniel Tsai, a lecturer in regulation and enterprise expertise at College of Toronto and Toronto Metropolitan College.
“It will have an effect on their gross sales and fame as a result of shoppers are actually targeted on the reliability of the location and if they cannot go on … guess what, they are not going to return again,” he mentioned in an interview. “The longer this goes on, the higher the punishment.”
Whereas she’s assured the retailer is probably going the sufferer of a ransomware assault, Coode is equally assured that it is unlikely delicate client info, resembling credit-card information, was stolen.
“As a result of there hasn’t been an announcement that there was a breach of non-public info signifies doubtless that nobody has taken the knowledge out of the corporate,” she mentioned.
“The minute you say the phrase ‘breach,’ you fired off the alarm — it’s a must to notify the privateness commissioner.”
By regulation, Canadian corporations that have cybersecurity breaches the place buyer information is stolen are required to report the breach to the Workplace of the Privateness Commissioner of Canada “as quickly as possible.”
In an announcement to CBC Information, the commissioner’s workplace says it “is conscious” of the scenario at Indigo and is “in communication with the group as a way to get hold of extra info together with a proper breach report, and to find out subsequent steps.”
“I’m not ready to offer any extra details about this matter presently,” the spokesperson mentioned on Friday.
CBC Information reached out to the company on Tuesday to see if that standing has been up to date.
Indigo spokesperson Melissa Perri mentioned the corporate was persevering with to work with third-party specialists to analyze the scenario and perceive whether or not any buyer information has been accessed.