The Decibel - How Canada’s biggest bookshop got hacked
Episode Date: March 1, 2023On February 8, Indigo’s website went down and customers couldn’t buy products in-store either. After scrambling to launch a new website with limited e-commerce abilities, the company announced a m...ajor breach of personal and financial information of employees.The Globe and Mail’s technology reporter, Temur Durrani, has been speaking to employees about the life-long impacts of this breach, what is being done about it and why ransomware attackers are taking aim at Canadian companies and public institutions.Questions? Comments? Ideas? Email us at thedecibel@globeandmail.com
Transcript
Discussion (0)
So, Tamar, I'm on Indigo's website, and the first thing I see is a message from the company that says,
Welcome to our temporary online home where you can shop thousands of books and browse our curated selection of lifestyle products.
So the temporary home of the company here.
And I've clicked through a bunch of books, and a lot of them are not available for purchase online.
So, Tamar, what is going on here?
This is because as of February 8th, Indigo's entire e-commerce operations were completely taken down
by what the company initially described as a cybersecurity incident.
And now they're actually calling it a ransomware attack.
And right now they can still not access orders.
You still can't place them online.
You have to go in stores to place them and pay for them.
It even impacted in-store operations as well, because computers that were in-store were also impacted as a result of the cybersecurity
incident that the company had described.
It's been annoying for customers who can't buy from Indigo, Canada's biggest bookstore
chain.
But it's become a nightmare for Indigo's current and some former employees.
You're just left to clean up this massive, massive mess on your own.
And I don't know how to navigate this.
Like, it's ridiculous.
So, yeah, really quite a loss and quite hurt, probably.
Angry and hurt.
This isn't an isolated incident.
In the last few months, we've seen other big Canadian companies
and even places like hospitals get hit with cyber attacks.
So today, we're talking to Tamor Durrani,
the Globe's technology reporter. He'll tell us what we know about this major cyber attack on
Indigo and why ransomware hacks are so costly for companies. I'm Mainika Raman-Wilms,
and this is The Decibel from The Globe and Mail.
Tamor, it's great to have you here again.
Thank you. Thanks for having me again.
Okay, so the public kind of knew about this February 8th
when all of these systems went down,
when the website went down.
But we've actually learned
this started a little bit earlier in January.
What do we know about that now, Timur?
So late last week,
I was sent a memo by an employee at Indigo, which was a memo that has been
sent to all employees, current employees for sure, but then even former employees at Indigo.
This is because current and former employees at Indigo have had their social insurance numbers,
financial details and other personal information. And there's a laundry list of all the different
details that have been breached as a result of what now they're describing as a ransomware attack.
So in this memo, Andrea Lombardi, who is the president of Indigo, she told staffers that
we learned that your personal information may have been acquired by an unauthorized
third party since January 16, 2023.
One of the most important things, for example, we've learned is that they believe that, you
know, employees face the risk of having their personal information leaked to the dark web.
And, you know, the dark web, for people that don't know about it, is a part of the Internet that requires, you know, specific software and computer configurations to access and is most known for illegal or illicit activity, business activity.
So things like the illicit organ trade or child pornography or the illegal drug market.
And in this case, most likely stolen identities and fraud. Wow. I mean, that's a big deal for employees and
former employees to have their information, including their SIN number. That's a huge
deal for people. Do we know how many employees are affected by this? We know for sure that there's
thousands upon thousands of staffers that have been affected by this, including seasonal employees or, you know, people who work just for a really small time period at Indigo.
Since 2015, all the data that they had collected about employees has all been breached.
So, for example, your name, your email address, your phone number, your birth date, your home
address, your postal code, you know, your social insurance number, your banking information,
including your direct deposit information, the name of your bank, you know, everything that you would potentially need to give an
employer of any type about when you're working for them, about your personal life and your
financial life has all been breached for these employees at Indigo.
You gave the date of 2015 there, Tamar.
So do we know if you've worked since 2015, you will for sure be affected by this?
How do we know, I guess, if you are a former employee, if you should be worried? A lot of former employees have reached out to me and told me that they
tried to ask Indigo about it. And Indigo told them that the 2015 date is important. So they told them
that after 2015, you are likely to have been impacted by this as well. I also spoke to one
employee who has worked there 17 years ago and also got this email.
17 years ago. So what is that? 2006, really? Yeah.
Okay. So even if you worked there before 2015, you could be caught up in this?
Essentially, yes.
Okay. And what about customer data, like credit cards, debit card information? Is that safe?
So Indigo from the get-go was very clear about this. They were very clear that customer data has not been improperly accessed.
Now, again, this is based on what they are saying, that they don't store credit and debit card information for their customers.
And so based on that fact, they are suggesting that because we don't store it, it's not been compromised. Okay. So it sounds like the, you know, from what we know, employees really are the people who
should probably be the most concerned here.
And of course, Tamar, you've actually talked to a number of current Indigo employees and
former employees.
What have they been telling you about what this has been like for them?
Yeah, there's been an outpouring of people that have been wanting to talk about it.
I have talked to about 50 or so now employees, right?
And so there's a lot of them that are willing to talk
or are, you know, currently working there.
It's a lot of sadness.
It's a lot of anger.
It's a lot of frustration, and understandably so.
I mean, what can employees do anyway?
Like, former employees, what can they do?
Current employees, if they complain,
they're going to get fired or whatever.
It's a minimum
wage job for people in the stores. So I guess we were like collateral damage that they could deal
with later. That's how I felt anyway. How does it even make sense that it goes from like a company
to like customers not being breached? Like, thank God for that. But like us that were the front line,
like you have all of our information and it's not just
like your current employees this goes back to like employees that have been there for five plus years
before so it's like it just I don't know it's it's a lot to digest I've had so many emotions
it's kind of just residing in anger um and sadness um there's just so much anger from all of the employees
and really just feeling like there's no recourse. Like we got
this email and then silence
like radio silence.
I think it's important also to highlight
the fact that these are minimum wage jobs
that mostly people work at at Indigo.
A lot of them are young people
and I mean by young minors because
you know these are people who do their first
jobs at
Indigo, at a retailer, you know, much like a job at Tim Hortons or another Starbucks or, you know,
just type of a chain. Right. And so, you know, these are women in a lot of cases. Most of the
people I've talked to actually are women. Most of the people that work at these locations are,
you know, racialized people or vulnerable people who just didn't expect this to happen to them.
Like the last thing they wanted for, in some cases for former employees, you know, the last thing they wanted for a job years ago
was to haunt them in this way, you know, and in a number of cases, they've brought up the fact that
they walked away from this job. They should have walked away from them having this breach affect
them in this way. And when you say haunt them in this way, we're talking about the threat of
identity fraud for the rest of their lives, pretty much then. Absolutely. Absolutely. I mean, this was just a job they maybe worked at
for just a single summer, a very long time ago. And now they're going to see the rest of their
lives impacted as a result of this. I mean, they're trying to take out a loan that's going
to be probably impacted. They see their credit score affected. They're going to be scared that
it was because of this. There's a lot of that at stake here. We'll be back after this message.
Tamar, companies, of course, do get hacked.
We do hear about this.
So I guess why are people taking note of this one so much?
Certainly, we've started hearing this happen
over and over again a lot more
and in a lot more frequency.
But, you know, in 2021, Canadian businesses reported spending a total of $9.7 billion
to detect or prevent cybersecurity incidents, which, you know, was an increase of $2.8 billion
compared to what they spent in 2019. So businesses are protecting themselves more because I guess the
threat is bigger? Certainly so. There's a lot of data out there, a lot of numbers out there
about how many people have been affected by this.
I mean, in recent memory, we've seen a lot more headlines
of very prominent businesses and also public sector organizations
that have gone through this.
So just to name a few, for example, we recently heard of LCBO,
which is the Liquor Control Board of Ontario.
Then we also heard of SickKids,
which is the hospital for sick children here in Toronto.
We also heard of Sobeys Parent,
the grocery chain Empire Co. Ltd.,
which also went through a cybersecurity incident
late last year.
And so these are things that keep happening in frequency,
and certainly they're also happening
at a lot of big businesses,
which should be scary to all of us.
And that attack on SickKids,
that was big news when that happened in December.
That attack, of course, caused delays in lab and imaging results at the hospital.
But sick kids did say no patient health information was affected by it.
So I guess, Timur, can you just take me through, like, how does an attack like this actually work?
I think it's important to highlight that this is a very specific type of a cybersecurity incident,
which is called ransomware, which is, you know, a type of a malicious software that infects a computer
and restricts users' access to it until a ransom is paid to unlock it. Again, there's so many
different ways that ransomware can happen. In some cases, this display an on-screen alert,
and then, you know, you're worried about it and they, you know, feed off of that emotional
sentiment that you have about, hey, my data might get leaked.
So you click on something that might feel wrong. In some cases, we've also seen you download a file from your personal computer onto your
work computer or something like that.
But it sounds like this is like it's a phishing attack, essentially.
Essentially.
And in a lot of cases, in most cases, it actually happens to be those phishing emails that,
you know, really anyone nowadays gets.
And so if you click on something that has malicious attachments or by downloading it,
and then now they encrypt all your files
or steal all your files in some case.
And in most cases, they end up asking for money for it,
lots and lots of money for it
to be able to give you access back.
So they're asking you, they're holding your data ransom.
You have to pay to get it back there.
And then it sounds like if they're also taking data
like this Indigo breach,
they're taking data, maybe selling it on the dark web. They're actually making money on
that end, too. So they're kind of getting paid in two different ways then. Correct. And I mean,
that's that's what it is. You can't even trust that even when they do give you back
your information, have they still kept a version of that information to themselves?
Are they still going to continue to sell it on the dark web? Which, again, that's a whole
complicated system of what that can be used and can't be used for.
But certainly you're right. It is a big lucrative business no matter what you look at it.
And because they're selling it to other people, but they're also trying you to buy it back from them.
So is it fair to say then that these kind of attacks are actually becoming more frequent?
According to cybersecurity experts, it does seem to be the case.
And I mean, I think we're also going through a couple periods of vulnerabilities at the
same time, right?
So the pandemic was a big, big problem because we were all starting to working from home,
meaning our system suddenly became a little bit more vulnerable than they were before
when we were all working from the office or mostly working from the office, meaning we
had more secure systems in place.
So that's one big important thing.
The other thing, too, is that, you know, I think the war in Ukraine, we can't underestimate that because here in Canada, our cyber intelligence
agency, the Communication Security Establishment, last year warned about the increased threat of
cyber attacks and malicious software amid Russia's invasion of Ukraine.
How does that connect to the invasion?
It connects to the invasion because it says that, you know, Russia is directing attacks
specifically through cybersecurity and, you know, these attacks in this way by targeting computers here in Canada and organizations
here in Canada.
We have seen these things happen before where there are countries that, say, for example,
are providing aid or military assistance in any way to Ukraine.
This would be a way to attack their vulnerable institutions.
Again, institutions, whether they're businesses or public sector
organizations, if they're even in any way vulnerable, cyber hackers of any type, whether
they're Russian attackers or not, are going to want to attack it because it's an easy target.
It sounds like these attacks are, we're hearing about them more, sounds like they are becoming
more frequent. Do we have any numbers though, Tamor, about like, I guess, how many companies
in Canada are affected by this? So in 2021, nearly one in five businesses
reported experiencing a cybersecurity incident. And in total, those companies reported costs
related to those breaches of more than $600 million, a number that had also increased prior
to the year, you know, so that's one important data set that we can point to. But then globally,
this is a big industry as well. And so I got recent numbers from a ransomware protection market agency research called Allied Market Research, which told us that, you know, the global ransomware protection market was valued at $17.32 billion in 2021 and is projected to reach $82.92 billion by 2031.
Is there kind of a standard for how companies should approach this? Do they actually, a lot of them end up paying to get that data back? There is certainly no standard by any means. And I
mean, even when you look at departments within separate organizations, there's no standard.
Sometimes even across a singular organization, you're going to see different standards of
cybersecurity from one part of that organization to another. But one thing we can say for sure that
every single cybersecurity expert is going to tell you is that you should be prepared well in advance. You need
to be prepared for these attacks to happen to you. You need to be cyber secure. And in most cases
that we've seen these things happen recently, it's all been because they weren't prepared.
It seems to be that to be the case. They have to pay a lot of money in order to do that. I mean,
in the case for Empire, which, you know, is the company that owns Sobeys and
a bunch of other grocery chains like, you know, IGA and Freshco and that kind of a thing.
They took an estimated $25 million hit because of their cybersecurity breach in November
last year in 2022.
And so, you know, it affected for a number of days their pharmacy services.
You know, it affected other operations for over a week, including, you know, self-checkout terminals, gift cards, redemption of points.
And these are very real impacts that get, you know, not just on customers, but on a company of that nature that is so big and ubiquitous around the country.
And in this way with Indigo, we're seeing that happen here as well.
Yeah. Well, then let's stick with Indigo here, coming back to what's happened at that company. The affected employees and former employees, I mean, they're in a really difficult
situation, it sounds like, Tamar. What is Indigo? What has the company said that they do to help
them? So in the memo that I was able to obtain last week, which was the memo that they sent to
former and current employees, Indigo said it is providing its workers with what it called
additional assurance and protection in the form of assistance with TransUnion of Canada, current employees, Indigo said it is providing its workers with what it called additional
assurance and protection in the form of assistance with TransUnion of Canada Incorporated.
And it will help notify workers of critical changes to their credit scores, such as potentially
fraudulent activity.
Now, you know, I think the thing that is important from what I've heard from workers is that
they don't believe this is enough.
I've heard a lot of things about, you know, they're organizing and very seriously organizing now this week to take legal action against Indigo.
OK, so when we're talking about cases of potential identity theft here, Tamor, I mean,
that's a that's a serious crime. Shouldn't police or like law enforcement be involved here?
They have notified and are cooperating with law enforcement, meaning they're working with police
about it. Actually, in that memo, they also told employees that one of the things that they should do is that they should consider contacting their local police and visit the Canadian Anti-Fraud Center for support.
And that they should also review the RCMP's Identity Theft and Identity Fraud Victim Assistance Guide for steps to take.
And so just lastly here, Tamar, do we have a sense of when Indigo's full website is going to be back up and running?
We have no idea. And certainly not many employees do either at Indigo.
Tamor, thank you so much for taking the time to be here today.
Thank you. Thanks for having me.
That's it for today. I'm Mainika Raman-Wellms.
Our producers are Madeline White, Cheryl Sutherland, and Rachel Levy-McLaughlin.
David Crosby edits the show.
Adrian Chung is our senior producer, and Angela Pachenza is our executive editor.
Thanks so much for listening, and I'll talk to you tomorrow.