Skip to content

Timeline of the ransomware attack against Canadian bookstore retailer Indigo

TORONTO — It's been one month since a ransomware attack hit Canada's biggest bookstore chain. The hack kicked Indigo Books & Music Inc.
20230307130328-a0fdfa167338009221d0c4a0838b2523d265ada978640adeb1fbfed036a71654
An Indigo bookstore is seen Wednesday, November 4, 2020 in Laval, Que. It has been one month since a ransomware attack hit Canada's biggest bookstore chain. THE CANADIAN PRESS/Ryan Remiorz

TORONTO — It's been one month since a ransomware attack hit Canada's biggest bookstore chain.

The hack kicked Indigo Books & Music Inc.'s website and payment systems offline and compromised the personal information of some current and former employees.

Here's a timeline of the cyberattack:

Feb. 8: In a post on Twitter at 2:15 p.m. ET, Indigo says the company is experiencing "technical issues" and its website isn't available. The retailer says its stores are open, but for cash transactions only. At 7:26 p.m. ET, the company shares an update saying it had experienced a cybersecurity incident and is working with third-party experts to investigate and resolve the situation. 

Feb. 10: Indigo says it's continuing to investigate whether any data was breached during the cyberattack. The company says it can once again accept debit and credit cards in stores, but still cannot process gift cards or returns. Indigo says customers should not log into any website that claims to be Indigo or for Plum rewards. The retailer suggests customers monitor accounts and avoid clicking on suspicious emails or links.

Feb. 14: The bookstore chain says customer credit and debit information was not stolen during the cyberattack, as it does not store the full numbers in its system. Plum reward points were also unaffected by the breach, Indigo says. Its website remains down on Valentine's Day, a key retail event during the typically sluggish winter months. 

Feb. 17: Indigo says its investigation has found no indication that customer data was compromised by the cybersecurity incident. The company says its stores can now accept returns and exchanges, and its return policy has been extended for some cases. The retailer also unveils a new, browsable-only temporary online home.

Feb. 22: Indigo announces that customers are now able to make purchases of "select books" online and browse other products. 

Feb. 24: Indigo says the data of current and former employees was stolen in a ransomware attack. In a statement on its website, the Toronto-based company says it has contracted consumer reporting agency TransUnion of Canada to offer two years of credit monitoring.

March 1: The company announces that it has decided not to pay the ransom in the cyberattack. Indigo says its network was hijacked via a ransomware software known as LockBit. The retailer says it does not know the identity of those behind the attack, but says LockBit has been used by Russian organized crime groups, and it cannot be assured that any ransom payment would not end up in the hands of terrorists or others on sanctions lists.

March 2: The company says the criminals responsible for the attack intend to make some or all of the data they have stolen available using the "dark web" as early as March 2. The company says it's continuing to work closely with Canadian police services and the FBI in the United States in response to the attack.

March 8: The company's website appears to be back, although a notice suggests that the online inventory is in the process of being updated. It is still recommended that consumers contact local stores to ensure a specific product is in stock and available for purchase.

This report by The Canadian Press was first published March 8, 2023.

Companies in this story: (TSX:IDG)

The Canadian Press