Indigo cyberattack highlights mounting prevalence, sophistication of hackers: experts

A cybersecurity incident stretching into its fifth day at Indigo Books & Music Inc. has illuminated the increasing risk of cyber attacks on Canadian companies and consumers, experts say.

The ongoing outage of the bookstore's website serves as a warning of the mounting dangers facing organizations and individuals online, they say. 

“These attacks are becoming more prevalent and more sophisticated,” said Charles Finlay, executive director of Rogers Cybersecure Catalyst at Toronto Metropolitan University.

Last week, Indigo announced it had experienced a “cybersecurity incident” impacting its website and electronic payment system. The company said it was working with third-party experts to investigate and resolve the situation. 

Although the bookstore is once again able to accept debit, credit and gift cards in stores, Indigo's website remained off-line on Monday. 

Finlay said as hackers become increasingly savvy and more of ours lives happen online, “every organization either already has been the victim of an attack, or will be the victim of an attack.”

“It's not if but when these attacks will occur,”  he said. 

On social media, Indigo told customers it changed its in-store payment technology as part of its incident response.

The bookstore has said customers may experience delays with part or all of online orders and returns, while its stores were still unable to accept returns in person. 

Indigo spokeswoman Melissa Perri said the company was continuing to work with third-party experts to investigate the situation and understand whether any customer data has been accessed.

Canadian retailers have experienced a growing number of cyber attacks.

Sobeys parent company Empire Co. Ltd. saw a security breach late last year that shut down its pharmacy services and other in-store functions. 

The incident in early November left customers unable to fill prescriptions for four days, while other in-store functions like self-checkout machines, gift card use and the redemption of loyalty points were off-line for about a week. 

Empire said in December the attack was expected to cost $25 million after insurance recoveries.

While big companies with deep pockets usually survive cyberattacks, smaller businesses often don't fare as well, experts say. 

More than half of small businesses close within six months of a cyberattack, said Mandy D’Autremont, vice-president of marketing partnerships at the Canadian Federation of Independent Business, which offers a training program for business owners and their employees on how to improve cybersecurity. 

“There is real risk for the survival of small businesses,” she said. “Cyber criminals are always developing more advanced and sophisticated ways of trying to trick you and break through a businesses defences.”

The average cost of a successful cyberattack for a small business is $26,000, she said. 

“These attacks can be devastating for organizations,” Finlay said. “A significant proportion of businesses that suffer serious cybersecurity attacks do not survive.”

Cyberattacks can prevent organizations from completing transactions as well as tarnish a company's relationship with customers and employees, he said. 

“They lose the value of the transactions that they can't complete. There's a significant cost to restoring systems. There's disrupted relationships with consumers. There's disrupted internal processes. There's impact to employee morale. There's regulatory scrutiny,” Finlay said. “Cyberattacks are incredibly destructive.”

The Office of the Privacy Commissioner of Canada has said it's aware of the Indigo cybersecurity incident and is in communication with the organization “in order to obtain more information, including a formal breach report, and to determine next steps.”

This report by The Canadian Press was first published Feb. 13, 2023