When the website for Indigo Books & Music went offline on February 8, the company called the occurrence a “cybersecurity incident.” Details—the nature of the attack, how far-reaching its impact was, who was behind it—were scarce. In response to social media inquiries, the company repeated it was working with third-party experts to determine what happened and that more information would be made available as it came to light. In the meantime, Indigo stores struggled to process credit- and debit-card transactions, and people waiting for online orders were left with no idea when their purchases would arrive.
One week in, with no improvement on Indigo’s website and scant updates from the company, there were media rumblings that the incident was, in fact, a ransomware attack—a type of cyberattack that locks targets out of their computers or online systems until a ransom is paid, usually in difficult-to-trace cryptocurrency. Indigo responded to data concerns by assuring the public that, to the best of the company’s knowledge, no customer information was stolen.
Indigo staff, past and present, weren’t so lucky. On February 24, two and a half weeks after the “cybersecurity incident” was first detected, the Globe and Mail reported that the breach had compromised employees’ information, including names, home addresses, emails, social insurance numbers, and banking information. It got worse. Indigo also determined that the attack employed LockBit, a type of malware already linked to numerous ransomware attacks. The figures behind LockBit are obscure, but there are indications the software has ties to Russia. According to CBC News, a post on the dark web—an encrypted corner of the internet that traffics in guns, drugs, and child pornography—warned that if a ransom was not paid by March 2, employee information would be released. Indigo refused, and the deadline came and went. None of the company’s sensitive information appeared to have been leaked. A cybersecurity expert was quick to note that the fact that the criminals didn’t make good on their threat did not mean the threat had receded.
Indigo’s data breach is a nightmare for those affected, many of whom now live in fear their information will be made public at some point or used for an identity theft. Book publishers and distributors were also left scrambling to mitigate the consequences. According to a spokesperson at LitDistCo, which handles distribution for a large number of Canadian-owned independent presses, the scope of Indigo’s recovery work was so extensive, and the situation was changing so quickly, it left players in the book industry without a roadmap for how best to navigate the situation as it unfolded. “Indigo is our biggest customer in Canada, so there is a trickle down,” Karen Brochu, vice president of sales and marketing at House of Anansi Press, said in an email to me. “Anything that impacts their cashflow, impacts ours.”
For many Canadians, the incident brought home the reality that cybersecurity attacks are increasingly prevalent and are infiltrating every part of our lives. Recent victims include the Liquor Control Board of Ontario, Maple Leaf Foods, Empire Company Limited (the parent company of the grocery chains Sobeys, Safeway, and IGA), and SickKids hospital. Attacks range from distributed denial of service (which floods traffic to a website, overloading the servers and effectively rendering the site useless) to data breaches that mine personal information, often for identity theft.
What these incidents show is not just that online security is inadequate but also that those trusted with sensitive personal information seem utterly helpless in the face of hackers bent on spying, extorting money, or simply sowing chaos. Especially unsettling is that those handling state secrets or critical infrastructure seem to fare no better than a bookstore chain.
On March 8, CTV News reported that the Toronto-based engineering giant Black & McDonald had been hit by a ransomware attack. Black & McDonald, which handles maintenance and logistical support for the Department of National Defence, also has contracts with the Toronto Transit Commission and Ontario Power Generation. These clients provide critical infrastructure to Canadians, the disruption of which could result in dire consequences. (According to its website, OPG provides more than half of the electricity Ontarians depend on daily). Black & McDonald has been reluctant to provide details, refusing, at one point, even to admit anything had occurred. However, according to The Record, a DND spokesperson confirmed the attack and maintained that, to the best of their knowledge, no defence systems or information had been breached.
The issue of a national security risk is not merely theoretical. Though no one has yet claimed responsibility for Black & McDonald’s cyberbreach, the fact that some ransomware operations are Russia-based has been flagged by threat analysts. If the origins can be traced back to that country, involved in an ongoing war in Ukraine for which it blames the West, the potential for a foreign state to directly meddle with Canada’s national infrastructure may be much more acute—and that much more alarming.
Or take, for another example, the country’s food and pharmaceutical supply chains. When the attack on Empire knocked out Sobeys’ website, it also took away staff’s ability to access or refill prescriptions online. The attack, which the Globe and Mail reports will cost Empire about $32 million, was merely the tip of Canada’s food-security iceberg. According to a Financial Post article from March 10, one cybersecurity expert, with experience dealing with cybercrime against banks, defence contractors, and hospitals, has been increasingly responding to dozens of hacks into farming operations in Ontario. On two occasions, he has been contacted by farmers whose livestock have been threatened with eradication. Wiping out an entire herd of cattle or flock of chickens remotely might seem difficult until one recognizes how easy it would be for a determined hacker to gain access to automated temperature controls or air-filtration systems.
According to the Financial Post, Russia is not the only hostile state engaged in such cyberattacks. China, Iran, and North Korea have also been looking into ways to disrupt digital systems on farms. At a February 7 meeting of the Standing Committee on National Defence, Sami Khoury, head of the Canadian Centre for Cyber Security, part of the Communications Security Establishment, told the committee that “cybercrime remains the largest cyber-threat to Canadians and that critical infrastructure is the main target of cybercriminals and state-sponsored threat actors.” Deputy chief of signals intelligence Alia Tayyeb, one of Khoury’s colleagues at the CSE, told the committee such threats are “growing exponentially.”
Reached for comment on March 17, Indigo sent a statement indicating that its online and in-person operations “have largely returned to normal.” An FAQ section on its site states the company is “working hard” to restore its systems. Indigo has offered employees affected by the attack a two-year subscription with TransUnion Canada, a company that monitors credit scores and other online security issues. A company update also notes that it is cooperating with Canadian authorities and the Federal Bureau of Investigation in the US to mitigate the fallout.
The ransomware attack on Canada’s largest bookselling chain may not be comparable to a strike against a children’s hospital or the country’s national defence apparatus, but it does indicate how indiscriminate such attacks have become. It also underscores the pervasiveness of criminality and malfeasance online—and just how tenuous our collective security is. It’s like a canary in the digital coal mine, offering a disquieting glimpse into the more devastating consequences black-hat hackers might yet unleash.