Indigo website still offline nearly 1 week after cybersecurity incident

Almost a week after being hit with an apparent cyberattack, book retailer Indigo's website is still offline, leaving customers with more questions than answers.

The TSX-listed bookseller's website went dark on Wednesday, Feb. 8. Indigo's brick-and-mortarstores could not process any transactions that were not in cash, leaving anyone who wanted to returnor buy an itemusing debit, credit or gift cards in the lurch.

Within hours, the company posted a message on its website, saying it "experienced a cybersecurity incident" and was communicating with customers via its social media channels.

Through the weekend, physical stores had regained most functionalities,except the ability to process returns afterthe company changed its in-store payment technology as part of its incident response.

But the website remains offline as of Tuesday afternoon, almost a week after it first went dark.

That's bad news for the company, as it makes it impossible to process anynew sales online. But it's also bad news for customers, like Gabriel Lee, who ordered a gift for his girlfriend online last weekthat was scheduled to arrive last Friday;it's now stuck in transit on Valentine's Day, with no indication of when it might arrive.

"There's absolutely no way I can tell if it's coming, like, this week or next week," he told CBC News in an interview."There's no timeline for it, so unfortunately, I'm going to just have to wait it out and see. And then see if they offer compensation but I don't think they will."

Indigo said Tuesday in a statement posted to social media that customer debit and credit card information was not compromised.

The company has been relatively tight-lipped about what's happened, but multiple cybersecurity companiesinterviewed by CBC News say the incident has all the hallmarks of what's known as a ransomware attack. That's the term forwhen hackers infiltrate a company's internal systems, disable them, then demand a ransom to undo what they've done.

It's a growing problem. Statistics Canada says ransomware attacks amounted to 11 per cent of all cyber security incidents in 2021the most recent year for which up to date data is available.

Growing problem

Grocery chain Sobeys was a recent high-profile victim, with the company being hit by a ransomwareattack in November that left the chain unable to fill prescriptions at the its pharmacies for four days, while other in-store functions, like self-checkout machines, gift-card use and the redemption of loyalty points, were offline for about a week.

In its most recent quarterly earnings, the company said the incident cost it about $25 million.

Cybersecurity expert Cat Coodesays it's"very likely" that Indigohas been hit by something similar. The timing and duration of the outage suggests it's somethingexternal, she says, as does the sheer number of systems involved, including payment and inventory systems both in store and online.

"The fact that we seetwo separate and distinct systems that have gone down is an indication that this is a malicious attack and not an accident that's happened inside the company," she said.

Regardless of the cause, the longer the outage stretches on the worse the damage will be, says Daniel Tsai, a lecturer in law and business technology at University of Toronto and Toronto Metropolitan University.

"It's going to have an impact on their sales and reputation because consumers are really focused on the reliability of the site and if they can't go on ... guess what, they're not going to come back," he said in an interview. "The longer this goes on, the greater the punishment."

While she's confident the retailer is likely the victim of a ransomware attack, Coode isequally confident that it's unlikely sensitive consumer information, such as credit-card data, was stolen.

"Because there hasn't been an announcement that there has been a breach of personal information indicates likely that no one has taken the information out of the company," she said.

"The minute yousay the word 'breach,' youfired off the alarm you have to notify the privacy commissioner."

By law, Canadian companies that experience cybersecurity breaches where customer data is stolen are required to report the breach to the Office of the Privacy Commissioner of Canada"as soon as feasible."

In a statement to CBC News, the commissioner's office says it "is aware" of the situation at Indigo and is "in communication with the organization in order to obtain more information including a formal breach report, and to determine next steps."

"I am not in a position to provide any more information about this matter at this time," the spokesperson said on Friday.

CBC News reached out to the agency on Tuesday to see if that status has been updated.

Indigo spokesperson Melissa Perri saidthe company was continuing to work with third-party experts to investigate the situation and understand whether any customer data has been accessed.