Nearly every week after being hit with an obvious cyberattack, e book retailer Indigo’s web site remains to be offline, leaving prospects with extra questions than solutions.
The TSX-listed bookseller’s web site went darkish on Wednesday, Feb. 8. Indigo’s brick-and-mortar shops couldn’t course of any transactions that weren’t in money, leaving anybody who wished to return or purchase an merchandise utilizing debit, credit score or reward playing cards within the lurch.
Inside hours, the corporate posted a message on its web site, saying it “skilled a cybersecurity incident” and was speaking with prospects by way of its social media channels.
By means of the weekend, bodily shops had regained most functionalities, besides the power to course of returns after the corporate modified its in-store cost expertise as a part of its incident response.
However the web site stays offline as of Tuesday afternoon, virtually every week after it first went darkish.
That is unhealthy information for the corporate, because it makes it unattainable to course of any new gross sales on-line. But it surely’s additionally unhealthy information for patrons, like Gabriel Lee, who ordered a present for his girlfriend on-line final week that was scheduled to reach final Friday; it is now caught in transit on Valentine’s Day, with no indication of when it would arrive.
“There’s completely no approach I can inform if it is coming, like, this week or subsequent week,” he instructed CBC Information in an interview. “There is not any timeline for it, so sadly, I’ll simply have to attend it out and see. After which see if they provide compensation … however I do not assume they are going to.”
Indigo mentioned Tuesday in a press release posted to social media that buyer debit and bank card data was not compromised.
Preserving you up to date <a href=”https://t.co/6H0dsyaeVd”>pic.twitter.com/6H0dsyaeVd</a>
The corporate has been comparatively tight-lipped about what’s occurred, however a number of cybersecurity corporations interviewed by CBC Information say the incident has all of the hallmarks of what is generally known as a ransomware assault. That is the time period for when hackers infiltrate an organization’s inner techniques, disable them, then demand a ransom to undo what they’ve accomplished.
It is a rising drawback. Statistics Canada says ransomware assaults amounted to 11 per cent of all cyber safety incidents in 2021 — the newest yr for which updated information is on the market.
Grocery chain Sobeys was a current high-profile sufferer, with the corporate being hit by a ransomware assault in November that left the chain unable to fill prescriptions on the its pharmacies for 4 days, whereas different in-store features, like self-checkout machines, gift-card use and the redemption of loyalty factors, had been offline for a few week.
In its most up-to-date quarterly earnings, the corporate mentioned the incident value it about $25 million.
Cybersecurity knowledgeable Cat Coode says it is “very seemingly” that Indigo has been hit by one thing related. The timing and length of the outage suggests it is one thing exterior, she says, as does the sheer variety of techniques concerned, together with cost and stock techniques each in retailer and on-line.
“The truth that we see two separate and distinct techniques which have gone down is a sign that this can be a malicious assault and never an accident that is occurred inside the corporate,” she mentioned.
Whatever the trigger, the longer the outage stretches on the more serious the harm will likely be, says Daniel Tsai, a lecturer in regulation and enterprise expertise at College of Toronto and Toronto Metropolitan College.
“It’ll have an effect on their gross sales and status as a result of customers are actually targeted on the reliability of the positioning and if they can not go on … guess what, they are not going to return again,” he mentioned in an interview. “The longer this goes on, the better the punishment.”
Whereas she’s assured the retailer is probably going the sufferer of a ransomware assault, Coode is equally assured that it is unlikely delicate client data, corresponding to credit-card information, was stolen.
“As a result of there hasn’t been an announcement that there was a breach of non-public data signifies seemingly that nobody has taken the knowledge out of the corporate,” she mentioned.
“The minute you say the phrase ‘breach,’ you fired off the alarm — you need to notify the privateness commissioner.”
By regulation, Canadian corporations that have cybersecurity breaches the place buyer information is stolen are required to report the breach to the Workplace of the Privateness Commissioner of Canada “as quickly as possible.”
In a press release to CBC Information, the commissioner’s workplace says it “is conscious” of the state of affairs at Indigo and is “in communication with the group in an effort to get hold of extra data together with a proper breach report, and to find out subsequent steps.”
“I’m not ready to supply any extra details about this matter at the moment,” the spokesperson mentioned on Friday.
CBC Information reached out to the company on Tuesday to see if that standing has been up to date.
Indigo spokesperson Melissa Perri mentioned the corporate was persevering with to work with third-party consultants to research the state of affairs and perceive whether or not any buyer information has been accessed.