Indigo, the largest Canadian bookstore, reported a cyber attack last month, and since, multiple reports indicate that a cybercriminal gang claimed responsibility for the attack that has compromised massive amounts of sensitive employee information. Indigo has thousands of employees, 86 superstores under Chapters and Indigo banners, and 123 small format stores. BleepingComputer learned from a leading threat intelligence organization that at least one cybercrime market sold Indigo credentials stolen by StealerLogs malware.
For those wanting to understand the attack's ramifications, it’s essential to understand how this breach took place and its implications on businesses in our digital age. In this blog post, we’ll explore what is known about the Indigo hack so far and discuss potential best-practices organizations can take into their own security strategies.
On Feb. 8, Indigo’s website was ultimately taken down by what the company last week admitted was a ransomware attack. Customers continue to face issues accessing their online orders. And for at least around a week, even those shopping in person were affected because the breach had also shut down computers in stores.
Indigo has created a temporary website since then. It can now accept in-store payment through debit, credit cards, and gift cards. But the new website only allows customers to browse, with the ability to purchase “select books” online. The company’s shipping and delivery services also continue to be affected by the attack.
Several days ago, the company said, “On February 8, 2023, Indigo experienced a ransomware attack,” in an updated FAQ on its website. “Through our investigation, we learned there is no reason to believe customer data has been improperly accessed, but that some employee data was.”
“We are notifying all affected employees,” the site says. “We have also notified and are cooperating with law enforcement. “Since this incident, we have been working with third-party experts to strengthen our cybersecurity practices, enhance data security measures and review our existing controls.”
As of the time of this writing, The company has been able to restore online sales of books — but not other items it sells. Further, it has decided not to pay a ransom after a cyberattack took down the Canadian retailer’s e-commerce operations last month.
In an internal letter sent to staff by e-mail late Wednesday, Indigo president Andrea Limbardi said the company’s network was “illegally accessed using ransomware software known as LockBit,” a specific piece of malware that carries the same name as the criminal organization behind it, which has ties to Russia.
The attack appears to have been conducted using fairly advanced tactics; the hackers may have used zero-day exploits or previously undiscovered vulnerabilities to access Indigo's network. It also seems that the threat actors had some form of insider knowledge, as they could access the company's network undetected for several months before the attack was discovered.
As with any cyber security incident, this event has sparked conversations about how such devastating breaches can be prevented in the future. While inherently, a zero-day vulnerability is impossible to defend against; organizations should ensure that their incident response teams are prepared and that their data is encrypted to protect it from falling into the wrong hands. Additionally, they should also make sure they have adequate backup procedures in place so that if an attack does occur, they can quickly recover lost data without compromising its integrity. Finally, companies should provide regular training sessions to their staff members on best practices when using digital tools to help reduce the risk of a data breach.
Part of why Canadians may face identity theft due to cyberattacks is because corporate entities such as Indigo keep too much information for too long, according to the Privacy and Access Council of Canada president Sharon Polsky.
"We have to look to our employers and ask why, why are you keeping this information?" she said, noting that domestic law may not be sufficient to protect Canadian data because many companies store their information on international servers. At the same time, cyber-crime organizations often operate outside of court jurisdictions.
"We can't look to the legislation that is, at best, 20 years old and was developed before all of these technologies were even contemplated," said Polsky.
The Indigo hack is another reminder that even the most secure networks can be vulnerable to attack. While there is no way to guarantee 100% protection, businesses should take proactive steps to reduce the risk of such a devastating incident happening in the future. By increasing their cybersecurity measures and educating their staff on how to use digital tools safely and securely, companies can help protect themselves against potential threats. In this ever-changing landscape of cyber security, organizations need to remain vigilant and stay one step ahead of hackers to keep their sensitive information safe.
