Indigo cyberattack highlights mounting prevalence, sophistication of hackers: Experts

By Brett Bundale

A cybersecurity incident stretched into its fifth day at Indigo Books & Music Inc. on Monday, illuminating the growing risk of cyberattacks on Canadian companies and consumers.

The ongoing outage of the bookstore’s website serves as a warning of the mounting dangers facing organizations and individuals online, experts say.

“These attacks are becoming more prevalent and more sophisticated,” said Charles Finlay, executive director of Rogers Cybersecure Catalyst at Toronto Metropolitan University.

“It’s not if but when these attacks will occur,” he said. “Every organization either already has been the victim of an attack, or will be the victim of an attack.”

Last week, Indigo said it had experienced a “cybersecurity incident” impacting its website and electronic payment system. The company said it was working with third-party experts to investigate and resolve the situation.

Although the bookstore is once again able to accept debit, credit and gift cards in stores, Indigo’s website remained off-line on Monday.

On social media, Indigo told customers it changed its in-store payment technology as part of its incident response.

The bookstore has said customers may experience delays with part or all of online orders and returns, while its stores were still unable to accept returns in person.

Indigo spokeswoman Melissa Perri said the company was continuing to work with third-party experts to investigate the situation and understand whether any customer data has been accessed.

Canadian retailers have experienced a growing number of cyberattacks in recent months.

Sobeys parent company Empire Co. Ltd. experienced a security breach late last year.

The incident in early November left customers unable to fill prescriptions at the chain’s pharmacies for four days, while other in-store functions like self-checkout machines, gift card use and the redemption of loyalty points were off-line for about a week.

Empire later said the attack was expected to cost $25 million after insurance recoveries.

“It takes time for corporations to really develop a comprehensive cybersecurity plan,” said Mark Hubbard, senior vice-president of information technology for First Onsite Property Restoration.

“There are companies out there that are ripe for the picking and these threat actors are firing these attacks out and just seeing what sticks,” he said. “Some organizations recover fairly quickly but it can be catastrophic for others.”

While big companies with deep pockets usually survive cyberattacks, smaller businesses often don’t fare as well, experts say.

More than half of small businesses close within six months of a cyberattack, said Mandy D’Autremont, vice-president of marketing partnerships at the Canadian Federation of Independent Business, which offers a training program for business owners and their employees on how to improve cybersecurity.

“There is a real risk for the survival of small businesses,” she said. “Cyber criminals are always developing more advanced and sophisticated ways of trying to trick you and break through a business’s defences.”

The average cost of a successful cyberattack for a small business is $26,000, she said.

“These attacks can be devastating for organizations,” Finlay said. “A significant proportion of businesses that suffer serious cybersecurity attacks do not survive.”

Cyberattacks can prevent organizations from completing transactions as well as tarnish a company’s relationship with customers and employees, he said.

“They lose the value of the transactions that they can’t complete. There’s a significant cost to restoring systems. There’s disrupted relationships with consumers. There’s disrupted internal processes. There’s impact to employee morale. There’s regulatory scrutiny,” Finlay said. “Cyberattacks are incredibly destructive.”

The Office of the Privacy Commissioner of Canada has said it’s aware of the Indigo cybersecurity incident and is in communication with the organization “in order to obtain more information, including a formal breach report, and to determine next steps.”

This report by The Canadian Press was first published Feb. 13, 2023