Virtually every week after being hit with an obvious cyberattack, e book retailer Indigo’s web site remains to be offline, leaving prospects with extra questions than solutions.
The TSX-listed bookseller’s web site went darkish on Wednesday, Feb. 8. Indigo’s brick-and-mortar shops couldn’t course of any transactions that weren’t in money, leaving anybody who needed to return or purchase an merchandise utilizing debit, credit score or present playing cards within the lurch.
Inside hours, the corporate posted a message on its web site, saying it “skilled a cybersecurity incident” and was speaking with prospects by way of its social media channels.
By means of the weekend, bodily shops had regained most functionalities, besides the flexibility to course of returns after the corporate modified its in-store cost know-how as a part of its incident response.
However the web site stays offline as of Tuesday afternoon, nearly every week after it first went darkish.
That is unhealthy information for the corporate, because it makes it unattainable to course of any new gross sales on-line. Nevertheless it’s additionally unhealthy information for patrons, like Gabriel Lee, who ordered a present for his girlfriend on-line final week that was scheduled to reach final Friday; it is now caught in transit on Valentine’s Day, with no indication of when it would arrive.
“There’s completely no manner I can inform if it is coming, like, this week or subsequent week,” he informed CBC Information in an interview. “There isn’t any timeline for it, so sadly, I will simply have to attend it out and see. After which see if they provide compensation … however I do not suppose they are going to.”
The corporate has been comparatively tight-lipped about what’s occurred, however a number of cybersecurity corporations interviewed by CBC Information say the incident has all of the hallmarks of what is often known as a ransomware assault. That is the time period for when hackers infiltrate an organization’s inner techniques, disable them, then demand a ransom to undo what they’ve finished.
It is a rising downside. Statistics Canada says ransomware assaults amounted to 11 per cent of all cyber safety incidents in 2021 — the latest 12 months for which updated information is out there.
Rising downside
Grocery chain Sobeys was a latest high-profile sufferer, with the corporate being hit by a ransomware assault in November that left the chain unable to fill prescriptions on the its pharmacies for 4 days, whereas different in-store features, like self-checkout machines, gift-card use and the redemption of loyalty factors, have been offline for a few week.
In its most up-to-date quarterly earnings, the corporate stated the incident price it about $25 million.
Cybersecurity professional Cat Coode says it is “very doubtless” that Indigo has been hit by one thing comparable. The timing and period of the outage suggests it is one thing exterior, she says, as does the sheer variety of techniques concerned, together with cost and stock techniques each in retailer and on-line.
“The truth that we see two separate and distinct techniques which have gone down is a sign that it is a malicious assault and never an accident that is occurred inside the corporate,” she stated.
Whereas she’s assured the retailer is probably going the sufferer of a ransomware assault, she’s equally assured that it is unlikely delicate client data, comparable to credit-card information, was stolen.
“As a result of there hasn’t been an announcement that there was a breach of private data signifies doubtless that nobody has taken the knowledge out of the corporate,” she stated.
“The minute you say the phrase ‘breach,’ you fired off the alarm — it’s important to notify the privateness commissioner.”
By regulation, Canadian corporations that have cybersecurity breaches the place buyer information is stolen are required to report the breach to the Workplace of the Privateness Commissioner of Canada “as quickly as possible.”
In a press release to CBC Information, the commissioner’s workplace says it “is conscious” of the scenario at Indigo and is “in communication with the group so as to receive extra data together with a proper breach report, and to find out subsequent steps.”
“I’m not able to supply any extra details about this matter at the moment,” the spokesperson stated on Friday.
CBC Information reached out to the company on Tuesday to see if that standing has been up to date.
Indigo spokesperson Melissa Perri stated the corporate was persevering with to work with third-party specialists to analyze the scenario and perceive whether or not any buyer information has been accessed.