Skip to content

One month after cyberattack hit, what's next for Indigo?

One month after a cyberattack hit Indigo Books & Music Inc., Canada's biggest bookstore chain is back online, although, still grappling with the fallout.
20230307110348-4214a7cbb6825d9fd084f92d1ab6f643d8df6736c68944560a093be5f1fbba40
An Indigo bookstore sign is illuminated on a storefront Tuesday March 30, 2021 in Ottawa. One month after a brazen ransomware attack swept Indigo Books & Music Inc., infecting its network and triggering a massive outage of its website and payment system, the bookstore continues to grapple with the fallout of the hack.THE CANADIAN PRESS/Adrian Wyld

One month after a cyberattack hit Indigo Books & Music Inc., Canada's biggest bookstore chain is back online, although, still grappling with the fallout. 

"A month has passed but it's not back to normal for Indigo," said Charles Finlay, executive director of Rogers Cybersecure Catalyst at Toronto Metropolitan University.

"It's a reflection of the complexity and seriousness and potentially devastating impacts of cybersecurity attacks on major businesses."

The company's website appears to be back, although a notice suggests that the online inventory is in the process of being updated. It is still recommended that consumers contact local stores to ensure a specific product is in stock and available for purchase.

On Feb. 8, the ransomware attack began and Indigo's website and payment systems were booted offline. 

The Toronto-based company's website, which had been limited to selling "select books" in recent days, appeared to be offering its full range of goods for sale on Wednesday morning while current and former employees are bracing for their personal information to be posted on the so-called dark web. 

The bookstore chain said its network was hijacked via a ransomware software known as LockBit. 

The hack plunged the company into turmoil as its e-commerce operations and in-store debit and credit card payment systems were halted.  

The bookstore managed to quickly restore its payment systems and soon after launched a temporary browsable-only website.

The retailer recently revealed that it decided not to pay the ransom as it could not be assured that a ransom payment "would not end up in the hands of terrorists or others on sanctions lists."

"There's a calculation that comes down to dollars and cents and risk and reward," Finlay said. "Now we're seeing what plays out when you don't pay a ransom."

Indigo declined an interview request for this story. 

The company isn't alone in being targeted by online hackers. 

Sobeys parent company Empire Co. Ltd., the Liquor Control Board of Ontario, or LCBO, and Toronto's Hospital for Sick Children, or SickKids, all recently fell victim to cyberattacks, underscoring just how pervasive cybersecurity issues are becoming. 

"Everyone is getting hit and sometimes the damage is far more comprehensive than anticipated," said Robert Falzon, head of engineering at Check Point Canada.

"In the past, some organizations have actually chosen insurance as their cybersecurity weapon of choice," he said. "It was cheaper to insure against a major breach than to actually implement correct security and training. But that's going to start changing."

It's unclear when Indigo's website will be fully restored or how much employee data will be leaked online. 

Even a month after the hack, Indigo's investigation is likely still uncovering the full scope of the damage, Falzon said. 

"This isn't over yet for Indigo," he said. "They are still probably figuring out exactly what happened."

Meanwhile, retail experts say the biggest risk to Indigo is the potential loss of customers.

Although losing some online sales connected to Valentine's Day and now potentially March break and Easter could make for a tough quarter, they say the loss of customer loyalty is a bigger long-term threat.

"The stores are fully up and running and in the grand scheme of things that's the most important thing," said Lisa Hutcheson, managing partner at consulting firm J.C. Williams Group.

"But the challenge will be trust and perception issues," she said. "It could take some customers a while to return to Indigo. They might be really nervous."

Indigo's transparency throughout the cybersecurity crisis will go a long way towards reassuring some customers, Hutcheson said.

And a sale wouldn't hurt. 

"Everybody likes a sale," she said. "A friends-and-family sort of event could be helpful. But I don't think it needs to be a sale."

Extra Plum Rewards points to recognize customer loyalty or other offers could entice some reluctant customers to shop at the bookstore once again, she said. 

Tamara Szames, Canadian retail industry adviser with The NPD Group, echoed Hutcheson's thoughts.

"Promotions are very attractive to the Canadian consumer right now. However, is that a tactic to gain back loyalty? It may increase sales and revenue, but if you're looking to gain consumer loyalty and trust back, it's really about putting your best foot forward."

Supporting employees through the breach, sharing with customers how they will safeguard their personal information and being transparent about the process as they move forward will help Indigo earn and regain loyalty, she said.

This report by The Canadian Press was first published March 8, 2023.

Companies in this story: (TSX:IDG)

Brett Bundale, The Canadian Press

push icon
Be the first to read breaking stories. Enable push notifications on your device. Disable anytime.
No thanks