Shopify showed incredible technical prowess and set up a new website for Canada’s popular bookstore company Indigo to help them resume online selling. It took Shopify just three days to set up an online store for Indigo after ransomware on its website forced a week-long shutdown.
For an entire week, Indigo was unable to process e-commerce as well as in-store sales. The Canadian retailer reached out to Shopify for assistance and it impressed all with a new features-loaded website.
We detected unauthorized access to some of our computer systems. We acted quickly to stop this event and prevent further unauthorized access. We worked with external experts to investigate and resolve the situation as quickly as possible.
Andrea Limbardi, President, Indigo
Shopify For Help
Shopify president Harley Finkelstein took to Twitter to share how Shopify helped Indigo return online. “Last week, one of Canada’s biggest retailers and bookstores, Indigo, was completely down both online and in-store. They came to us, and in 3 days, we were able to build them a new site & get them back online and selling. That’s the power of Shopify,” he tweeted.
Last week, one of Canada’s biggest retailers and bookstores, Indigo, was completely down both online and in-store. They came to us, and in 3 days, we were able to build them a new site & get them back online and selling. That’s the power of @Shopify.https://t.co/RbTItmFG1g
— Harley Finkelstein (@harleyf) February 26, 2023
On February 8, Indigo cited a cybersecurity incident to describe the e-commerce and in-store shutdown. Later, the company confirmed it as a ransomware attack, which also affected the company computers and payment system. Indigo estimated a loss of “millions” of dollars in lost sales due to this hack.
Nine days after confirming the ransomware attack, Indigo announced the arrival of a Shopify-powered new and temporary website. “Welcome to our temporary online home where you can shop thousands of books and browse our curated selection of lifestyle products. Find more of what you love online or in-store,” Indigo states on the new website.
Current Status
Currently, the functions are limited on Indigo’s new website. Initially, customers were allowed to only browse but now the website permits them to buy “select books” online. On the home page, Indigo states its tagline saying, “Shop books online. Window-shop lifestyle.”
Indigo is yet to announce when it would come in full functionality and launch its original website or mobile application. “We are working hard to provide the seamless online shopping experience that you have come to expect,” Indigo said as quoted by betakit.com.
“Currently we are only selling select books online and look forward to expanding the assortment shortly. Please check back daily for updates and progress,” the company added.
No Loss of Consumer Data
Indigo is also conducting an investigation to find out the source of the ransomware. The company has not mentioned any loss of customer data due to the cyber attack. However, The Globe and Mail claimed in a report that the personal information of the company employees was breached by hackers. The loss of data includes social insurance numbers and financial details of Indigo employees.
“We recently learned that your personal information may have been acquired by an unauthorized third party between Jan. 16, 2023, and Feb. 8, 2023,” Indigo president Andrea Limbardi said in a memo to her staff.
“We know this may be concerning news to receive and are deeply sorry for this breach of your information,” Limbardi added.
The Lost Data
The internal memo obtained by The Globe and Mail further claimed that name, phone number, e-mail address, date of birth, residential address, social insurance number, postal code, direct deposit information, bank account number, branch number and financial institution name.
Limbardi warned her employees to be cautious of identity theft or fraud. She added that the hackers might have leaked the employees’ personal information to the dark web, which is used for illicit purposes.
“You should consider contacting your local police and visit the Canadian Anti-Fraud Centre for support. You should also review the RCMP’s Identity Theft and Identity Fraud Victim Assistance Guide for steps you can take,” Limbardi said.
Is Memo Real?
Indigo spokesperson Melissa Perri confirmed the authenticity of the internal memo. “Earlier this month, Indigo experienced a ransomware attack that affected some of our systems. We also shut down some of our systems as a precaution,” Perri said in a statement.
“While we have no reason to believe customer data has been improperly accessed, our investigation found that some employee data was. We are in the process of notifying all affected employees. We have also notified and are co-operating with law enforcement,” the statement added.
Indigo claimed on its website that no information related to customer credit and debit cards was compromised in the cyber attack. “We do not store full credit card or debit card numbers in our systems,” the website states.
Recent Cyber Attacks
According to cyber experts, the ransomware attack on Indigo was the latest addition to recent high-profile cyberattacks on big Canadian companies. Ontario’s Liquor Control Board, Empire Co of Sobeys and Toronto’s Hospital for Sick Children were victims of recent cyber attacks.
Indigo has opted for “additional assurance and protection” for its employees with the help of TransUnion of Canada Inc. The consumer reporting agency will notify the employees of any “critical changes” to their credit scores to save them from potentially fraudulent activity.
“Through TransUnion, we have arranged a two-year subscription to TransUnion myTrueIdentity, an online monitoring service, at no cost to you,” Limbardi said in the memo.
Indigo is offering cyber protection to its staffers and former employees and providing them with activation codes for the subscription. The subscription of myTrueIdentity ensures “monitoring of surface, social, deep and dark websites for potentially exposed personal, identity and financial information in order to help protect consumers against identity theft,” explained Limbardi.
More Information Awaited
Limbardi’s memo didn’t mention the source of the cyber attack and if the company has paid a ransom or will pay in the future.
“We detected unauthorized access to some of our computer systems. We acted quickly to stop this event and prevent further unauthorized access. We worked with external experts to investigate and resolve the situation as quickly as possible. Every step of the way, the protection of employee and customer data and privacy has been a top priority,” the memo sent on Thursday stated.
Until Thursday, Indigo didn’t confirm the ransomware attack and kept calling it a cyber incident. However, now it knows what the issue is and with partners like Shopify and TransUnion, Indigo must have reduced some worry.
