OVERVIEW On 8th February 2023, Canada’s largest book retailer Indigo Books & Music Inc. suffered a ransomware incident that shut down its whole business. At store point of sale systems and e-commerce systems were infected and had to shut down and stop their entire systems to contain the spread of the attack. The Attacker was able to access employees’ data including social insurance numbers. Management immediately reacted by engaging with cybersecurity experts and Canadian police services and communicating with stakeholders promptly. The restoration of services was gradual, as in-store operations resumed within days, and the website was partially back online by Feb. 28, while e-commerce abilities were back on March 8 almost one month after the attack [1][2][3]
Indigo Attack Techniques: It was confirmed that the attacker used LockBit ransomware to pass through Indigo’s network by one of several common methods: Unpatched vulnerabilities on public-facing services on systems being exploited, malicious attachments in phishing emails, or otherwise acquired compromised credentials via social engineering [2][6].
Indigo Response: Prioritized containment before restoration. First, they took all systems offline to stop the malware from spreading any further. Next, they hired cybersecurity experts to dig for the root cause of the breach and start cleaning up. At first, the Inigo returned to in-store limited operations with cash-only transactions. Then, they partially restored the website with limited functionality, and later time the e-commerce capabilities were restored to normal. During the process Indigo continually communicated transparently with Stakeholders, reporting on the situation and recovery progress as it happened[1][10].
Potential Network Vulnerabilities: The ransomware attack uncovered several of Indigo’s network infrastructure weaknesses. The attack might have been the result of insufficient network segmentation, a lack of robust access controls and privilege management, a lack of robust endpoint detection and response solutions, and possibly outdated, unpatched systems on the internet-facing infrastructure. Phishing still was an option, and likely also some employee cybersecurity awareness issues [2][6][7].
Losses and Mitigation: The attack economically affected both e-commerce and store operations, which led to a significant drop in revenue [8]. Moreover, that would bring potential reputational damage and loss of customer trust[4]. Indigo confirmed that no customers’ sensitive data including credit card information were compromised[5]. The social insurance numbers (SIN) of employees were breached, however. To mitigate the effect of this data breach, Indigo offered affected employees 2 years of credit monitoring by TransUnion Canada at no charge [3]. Indigo decided to not pay the ransom and spent almost a month restoring all systems to full functionality [1].
Security Recommendations [2][6][7]
- Implement strong network segmentation layers that contain lateral movement at the time of attack.
- Users and systems must be enforced with the least privilege.
- Multi-factor authentication (MFA) for all critical systems including VPN access should be implemented.
- Patching schedule for all systems and especially for the internet-facing systems.
- Employees should receive regular security awareness training including phishing scenario simulation.
- Install an advanced Endpoint Detection and Response solution.
- Implement a strong and tested offline Data backup and recovery plan.
- Deploy a proper incident response plan that is tested regularly.
- Organizations must be prepared for zero-day vulnerabilities to mitigate zero-day exploits.
- Adopting a zero-trust security model (never trust, always verify).
Conclusion: Finally, organizations of all sizes must be able to understand and respond effectively to Indigo attacks. Organizations can boost their capability to avoid the effects of such attacks, and safeguard their operations, through a balanced implementation of the measures described in this blog.
A key defense strategy contains an incident response team, a comprehensive incident response plan, and regular testing and refining of the plan. Another important factor in how to react effectively to Indigo attacks is improving network visibility through advanced threat detection tools and making relationships with external resources [6][7].
Reference:
[1] CTV News. (2023, March 14). Timeline of the ransomware attack against Canadian bookstore retailer Indigo. CTV News. Retrieved October 1, 2024, from https://www.ctvnews.ca/business/timeline-of-the-ransomware-attack-against-canadian-bookstore-retailer-indigo-1.6304258
[2] SecureOps. (n.d.). The Indigo Bookstore ransom cyber attack – Lessons learned. SecureOps. Retrieved October 1, 2024, from https://secureops.com/blog/indigo-attack/
[3] Seglins, D. (2023, March 10). Indigo employees’ data breached in ransomware attack. CTV News. Retrieved October 1, 2024, from https://www.ctvnews.ca/business/indigo-employees-data-breached-in-ransomware-attack-1.6288045
[4] Seglins, D. (2023, February 24). Indigo risks reputational damage as outage drags on: Experts. CTV News. Retrieved October 1, 2024, from https://www.ctvnews.ca/business/indigo-risks-reputational-damage-as-outage-drags-on-experts-1.6275475
[5] CTV News. (2023, February 17). No customer payment information compromised after breach, Indigo says. CTV News. Retrieved October 1, 2024, from https://www.ctvnews.ca/business/no-customer-payment-information-compromised-after-breach-indigo-says-1.6273803
[6] Government of Canada. (n.d.). Ransomware: How to prevent and recover. Canadian Centre for Cyber Security. Retrieved October 2, 2024, from https://www.cyber.gc.ca/en/guidance/ransomware-how-prevent-and-recover-itsap00099
[7] UpGuard. (2023, February 17). Best practices to prevent ransomware attacks. UpGuard. Retrieved October 2, 2024, from https://www.upguard.com/blog/best-practices-to-prevent-ransomware-attacks
[8] Solomon, H. (2023, June 28). Indigo ransomware attack cost millions, company says. IT World Canada. Retrieved October 1, 2024, from https://www.itworldcanada.com/article/indigo-ransomware-attack-cost-millions-company-says/541885
[9] Beattie, S. (2023, April 24). The Indigo cyberattack is a warning of things to come. The Walrus. Retrieved October 1, 2024, from https://thewalrus.ca/indigo-cyber-attack/
[10] CBC News. (2023, February 23). Ransomware attack against Indigo leads to release of employee data on the dark web. CBC News. Retrieved October 1, 2024, from https://www.cbc.ca/news/business/ransomware-indigo-data-release-1.6766328
[11] Adriano, L. (2023, February 24). Canadian bookstore Indigo confirms recent cyberattack involved ransomware. Insurance Business Canada. Retrieved October 1, 2024, from https://www.insurancebusinessmag.com/ca/news/cyber/canadian-bookstore-indigo-confirms-recent-cyberattack-involved-ransomware-437501.aspx
[12] McLaren, L. (2023, October 3). Did Indigo fail books, or was it the other way around? The Toronto Star. https://www.thestar.com/opinion/star-columnists/did-indigo-fail-books-or-was-it-the-other-way-round/article_bb841eb0-18da-571e-b156-a311130bf4aa.html
Interesting post! I previously posted an incident that exposed a significant amount of customer data and one of the comments I got was the concern about the company not offering credit monitoring services to their customers. Seeing that Indigo offered this is impressive and shows their commitment to continuous compliance and safeguarding customer data. This post particularly piqued my interest because I am an Indigo customer, and although we, the customers, were not affected, it is really disheartening to see that information as sensitive as the social insurance numbers of employees were leaked. Hopefully, Indigo has closed those gaps that were exploited by the bad actors, and no employee was significantly affected by this breach. Also, the security recommendations for closing the security gaps are great for preventing future incidents!
Informative post Firas! I also wrote about a similar incident that happened with Fortinet. In both cases, the organizations were very open and transparent about the breaches, which is impressive. Being clear and transparent can help mitigate some of the reputational damage caused by such incidents.
Informative post Firas! I also wrote about a similar incident that happened with Fortinet. In both cases, the organizations were very open and transparent about the breaches, which is impressive. Being clear and transparent can help mitigate some of the reputational damage caused by such incidents.
Informative post Firas! I also wrote about a similar incident that happened with Fortinet. In both cases, the organizations were very open and transparent about the breaches, which is impressive. Being clear and transparent can help mitigate some of the reputational damage caused by such incidents.
Informative post Firas! I also wrote about a similar incident that happened with Fortinet. In both cases, the organizations were very open and transparent about the breaches, which is impressive. Being clear and transparent can help mitigate some of the reputational damage caused by such incidents.
Informative post Firas! I also wrote about a similar incident that happened with Fortinet. In both cases, the organizations were very open and transparent about the breaches, which is impressive. Being clear and transparent can help mitigate some of the reputational damage caused by such incidents.