Week-old hack has likely cost Indigo millions
Incident that took down website latest in string of attacks
Indigo Books & Music is likely losing millions of dollars as it continues grappling with a “cybersecurity incident” a week ago that shut down its website, experts say.
Indigo experienced a cybersecurity incident Feb. 8, that impacted its website and electronic payment system. On Tuesday, the company said in a statement to customers the investigation is ongoing as it works with third-party experts to investigate and resolve the incident.
Currently, all stores are open and accepting debit, credit and gift card transactions, but are unable to accept exchanges and returns.
The online store remains down and will be relaunched “soon,” the company said.
“Customer credit and debit card information was not compromised by our recent cybersecurity incident,” the statement said. “We do not store full credit or debit card numbers in our systems.”
The customer points program also remains unaffected, it continued.
Indigo would not comment on how much money it has lost, but it’s predicted to be at least millions of dollars, if not tens of millions, said Bruce Winder, retail analyst and author.
“We don’t know what the bill is here,” said Winder. “But there will be damage and we’ll have to wait and see if the financial loss is big enough for Indigo to report.”
Indigo follows the latest stream of major retailers facing cybersecurity attacks, raising alarm bells on potential company and customer data breaches, experts say.
Sobey’s parent company, Empire Co. Ltd., experienced a security breach in November 2022 which left customers unable to fill prescriptions at their pharmacy locations for multiple days, while checkout machines and gift card use were offline for about a week. The cyberattack cost the company $25 million.
In December 2022, SickKids hospital experienced a ransomware attack, affecting its phone lines and internal payroll systems and in January 2023, LCBO reported a data breach that potentially compromised customers payment information.
Cybersecurity threats are becoming more sophisticated and largescale, and will occur with greater frequency, said Charles Finlay, executive director of Rogers Cybersecure Catalyst at Toronto Metropolitan University.
“The environment is serious and deteriorating,” he said.
The rise of e-commerce and the pandemic forced more companies to transition to commercial transaction online creating more vulnerabilities that hackers can exploit, he added.
“Attackers are more innovative now. They’re well organized and resourced,” Finlay said. It’s not surprising, he added, that Indigo’s website and some operating systems have been down for a week.
Because cybersecurity can be “extremely damaging” it can take a significant amount of time to bring commercial operations back.
“Retailers are not immune to cyber attacks which have increased in many industry sectors, both in Canada and internationally. This issue is a top priority for everyone,” said Michelle Wasylyshen, spokesperson for Retail Council of Canada.
Retailers can undertake measures to prevent ransomware attacks, including training employees about phishing emails and increasing the use of multifactor authentication for information systems, she said. They also need to ensure they have secure and up-to-date backups of critical systems and data.
“If companies have backed up their data, they are less vulnerable to the pressure to pay a ransom,” Wasylyshen added.
Attackers innovate new types of attacks, including software supply chain attacks on third-party IT systems, but ransomware incident response exercises can help companies be better prepared, she said.
“Every company needs a cybersecurity plan,” said Lisa Hutcheson, retail industry analyst.
“It’s not a matter of if, it’s a matter of when.”
In 2021, 18 per cent of Canadian businesses were impacted by cybersecurity incidents, with large businesses of 250 employees or more experiencing 37 per cent of the attacks, according to Statistics Canada. Data for 2022 isn’t available yet.
“It’s a huge operational disruption and will be a blow to Indigo’s revenue as their website has been down,” Hutcheson said. “Luckily February isn’t the busiest time but they lost some traction with Valentine’s Day sales.”
While the public has empathy for the retailer, if the problem doesn’t get fixed quickly public sentiment can start to sour, said retail analyst Winder.
“If it goes on too much longer it starts to look like an Indigo problem and not a hacker problem,” he said. “They’ll start to ask why the company didn’t prepare for something like this.”
Going forward, Canadian’s shouldn’t be surprised by cybersecurity attacks hitting large retailers, experts say.
“This is the new normal and will continue to happen,” said Toronto Metropolitan University’s Finlay. “There’s an increase in the severity of the attacks which is why it’s so important we all take the steps we can to prevent these attacks and when they do happen, we must be prepared to handle them.”