Virtually every week after being hit with an obvious cyberattack, e book retailer Indigo’s web site remains to be offline, leaving clients with extra questions than solutions.
The TSX-listed bookseller’s web site went darkish on Wednesday, Feb. 8. Indigo’s brick-and-mortar shops couldn’t course of any transactions that weren’t in money, leaving anybody who needed to return or purchase an merchandise utilizing debit, credit score or reward playing cards within the lurch.
Inside hours, the corporate posted a message on its web site, saying it “skilled a cybersecurity incident” and was speaking with clients by way of its social media channels.
By way of the weekend, bodily shops had regained most functionalities, besides the power to course of returns after the corporate modified its in-store fee know-how as a part of its incident response.
However the web site stays offline as of Tuesday afternoon, nearly every week after it first went darkish.
That is dangerous information for the corporate, because it makes it unimaginable to course of any new gross sales on-line. But it surely’s additionally dangerous information for purchasers, like Gabriel Lee, who ordered a present for his girlfriend on-line final week that was scheduled to reach final Friday; it is now caught in transit on Valentine’s Day, with no indication of when it’d arrive.
“There’s completely no approach I can inform if it is coming, like, this week or subsequent week,” he informed CBC Information in an interview. “There is no timeline for it, so sadly, I will simply have to attend it out and see. After which see if they provide compensation … however I do not suppose they’ll.”
Indigo stated Tuesday in an announcement posted to social media that buyer debit and bank card info was not compromised.
Retaining you up to date <a href=”https://t.co/6H0dsyaeVd”>pic.twitter.com/6H0dsyaeVd</a>
The corporate has been comparatively tight-lipped about what’s occurred, however a number of cybersecurity corporations interviewed by CBC Information say the incident has all of the hallmarks of what is often called a ransomware assault. That is the time period for when hackers infiltrate an organization’s inner methods, disable them, then demand a ransom to undo what they’ve performed.
It is a rising drawback. Statistics Canada says ransomware assaults amounted to 11 per cent of all cyber safety incidents in 2021 — the newest yr for which updated information is accessible.
Grocery chain Sobeys was a latest high-profile sufferer, with the corporate being hit by a ransomware assault in November that left the chain unable to fill prescriptions on the its pharmacies for 4 days, whereas different in-store features, like self-checkout machines, gift-card use and the redemption of loyalty factors, had been offline for a couple of week.
In its most up-to-date quarterly earnings, the corporate stated the incident value it about $25 million.
Cybersecurity professional Cat Coode says it is “very probably” that Indigo has been hit by one thing comparable. The timing and length of the outage suggests it is one thing exterior, she says, as does the sheer variety of methods concerned, together with fee and stock methods each in retailer and on-line.
“The truth that we see two separate and distinct methods which have gone down is a sign that it is a malicious assault and never an accident that is occurred inside the corporate,” she stated.
Whatever the trigger, the longer the outage stretches on the more serious the injury might be, says Daniel Tsai, a lecturer in legislation and enterprise know-how at College of Toronto and Toronto Metropolitan College.
“It should have an effect on their gross sales and repute as a result of shoppers are actually targeted on the reliability of the positioning and if they can not go on … guess what, they are not going to come back again,” he stated in an interview. “The longer this goes on, the better the punishment.”
Whereas she’s assured the retailer is probably going the sufferer of a ransomware assault, Coode is equally assured that it is unlikely delicate client info, corresponding to credit-card information, was stolen.
“As a result of there hasn’t been an announcement that there was a breach of non-public info signifies probably that nobody has taken the data out of the corporate,” she stated.
“The minute you say the phrase ‘breach,’ you fired off the alarm — you need to notify the privateness commissioner.”
By legislation, Canadian corporations that have cybersecurity breaches the place buyer information is stolen are required to report the breach to the Workplace of the Privateness Commissioner of Canada “as quickly as possible.”
In an announcement to CBC Information, the commissioner’s workplace says it “is conscious” of the scenario at Indigo and is “in communication with the group in an effort to receive extra info together with a proper breach report, and to find out subsequent steps.”
“I’m not ready to supply any extra details about this matter right now,” the spokesperson stated on Friday.
CBC Information reached out to the company on Tuesday to see if that standing has been up to date.
Indigo spokesperson Melissa Perri stated the corporate was persevering with to work with third-party specialists to analyze the scenario and perceive whether or not any buyer information has been accessed.