Book lovers across Canada had cause for concern this February as Canada’s leading retailer of literature, Indigo, experienced a ransomware attack that exposed sensitive banking information to cybercriminals.
Here’s a brief timeline of the attack:
- Jan 16 - Feb 8 — Indigo’s network is infiltrated and data is taken by cybercriminals [IT World Canada]
- Feb 8 — Indigo announces they’ve experienced a cybersecurity incident [@ChaptersIndigo]
- Feb 8 - 17 — Indigo’s website is offline and unavailable [@chaptersindigo]
- Feb 8 - 14 — In-store purchases can only be made using cash [@chaptersindigo]
- Feb 14 — Indigo restores credit and debit for in-store purchases, but gift cards remain unavailable [@chaptersindigo]
- Feb 17 — Indigo launches a new temporary website and announces that customer data has not been compromised, although employee data has been [@chaptersindigo]
According to the Toronto Star, “the information at risk includes employees’ email address, phone number, birth date, home address, postal code, social insurance number and banking information such as employee direct deposit information, including the name of the financial institution, bank account number and branch number.” Indigo has contracted TransUnion of Canada to offer two years of credit monitoring and identity theft protection to employees at no cost.
“Too often organizations do not give their IT leaders the time, resources and budget to proactively address cybersecurity. The thought process is that security is the IT department’s responsibility, and not that of the extended business,” says Chris King, Vice President and Partner at IX Solutions. “When unfortunate news like this comes out, it is a painful reminder to us all that security is everyone’s responsibility.”
While the investigation is still ongoing, this ransomware attack serves as yet another sobering reminder for organizations that have yet to implement proactive cybersecurity measures to protect their organization. To fully understand the weight of an incident of this scale, let’s dive into the impact on Indigo.
The impact on Indigo
1) Lost sales and revenue
For nine days, Indigo’s website was fully offline, and for six of those days, the organization only accepted cash for in-store purchases. With revenue of over $1.06 billion reported in 2022, Indigo averages $20.4 million in sales per week. Since both online and in-store sales were impacted by this incident, we can assume the bottom line loss for the organization has a figure somewhere in the tens of millions. Ouch!
2) Unexpected costs
Lost revenue won’t be the only financial impact on Indigo as a result of this incident. Often, organizations don’t realize the extent of unexpected or hidden costs that are incurred following a cyberattack. These costs can include professional fees for issues management (legal and public relations), cybersecurity recovery efforts, website development and more.
In a Tweet, Shopify’s president Harley Finkelstein boasted about getting Indigo back up and running on a temporary website within just three days. While this is an impressive accomplishment, there’s no doubt it came with a hefty bill for the Canadian retailer.
3) Reputational damage
Reputational damage can have the most insidious impact on an organization during a cyberattack, because it typically impacts the organization over a long period of time. When customers can't access your services or products, they may become frustrated, resulting in lost business and a tarnished reputation.
For public organizations like Indigo that have shareholders to consider, reputational damage can be felt almost instantly. From February 8 - 28, Indigo’s stock fell 18%—an indicator that some investors may have lost trust in the organization.
How you can mitigate ransomware risk
Indigo and many others have felt the sting and impact that downtime can have on an organization. So what lessons can be learned from them to proactively prepare for an incident?
1) Invest in cybersecurity
Indigo’s incident is a testament to just how crucial it is to invest in robust cybersecurity measures that can prevent, detect, and respond to cyber threats. Today, it’s necessary for organizations to continually assess their vulnerabilities and implement appropriate security controls—from firewalls to antivirus software, intrusion detection systems, and data backup and recovery procedures. Regular security audits and penetration testing can also help identify weaknesses in your network and ensure security controls are effective.
“In working with IT leaders on security initiatives, the most difficult task we face is not deploying technology,” says Chris King. “It’s communicating the risk and gaining acceptance and buy-in from the business that we must have a plan and act on it. Where we’re successful in that communication—that’s where we see the most mature and well-developed security postures.”
2) Educate employees
Cybercriminals often exploit human error to gain access to an organization's network through methods like phishing and social engineering. Educating employees on cybersecurity best practices including how to recognize and avoid suspicious emails and links, how to create strong passwords, and how to report security incidents should be an ongoing agenda item for the C-suite. With regular security awareness training, your organization can develop a security-conscious culture.
3) Have an incident response plan
Despite precautions, no organization is entirely immune to cyber attacks. So, having a “rainy day plan” that details your strategy for responding to incidents can help to minimize the impact of a security breach. The response plan should include a clear chain of command, procedures for isolating and containing the attack, and communication protocols for notifying stakeholders—including customers and employees. Regular testing and updating of the response plan can help ensure that it is effective in a real-life scenario.
Is your cybersecurity up to speed?
Has Indigo’s story inspired you to fortify your organization’s cybersecurity? IX Solutions can help your business stay steps ahead of the threat landscape with proactive cyber-threat monitoring, detection, response and remediation. With enterprise-grade security solutions, we can optimize your security posture and shield your business from malicious attacks.