Indigo got hacked

I’m speculating here, but the recent cybersecurity incident at Indigo might not be so recent.
It just so happens that I purchased a book from the Indigo website a few weeks ago, and they were already experiencing issues:
1. I ordered to pick up the book in store, but I didn’t receive any email notification on pickup day, and my order status got stuck at “Shipping Pending”;
2. I have cancelled the order and was planning to re-order again from Amazon;
3. The next day, an employee from the Indigo store called and told me that my book was ready for pick up, and I had never been notified about that because there were some problems with their system;
4. I picked up my book, but my credit card has still not been charged two weeks later;
5. There have been no unusual charges either. 🙂

Good book, btw.

10 comments on “Indigo got hacked”

  1. Just remembered that Indigo is actually a public company: Indigo Books & Music Inc. (TSX:IDG).
    If I were holding any shares, I would be nervous.
    This breach might be serious; the website is still down after 4 days.
    They will have a revenue loss, extra expenses on IT and security, and reputational damages.
    If clients’ information was stolen, they can also expect a lawsuit and even bigger reputational damages.

  2. So, I’ve checked the financial statements for last year, and Indigo is losing around C$500K in revenue per day at the moment with their website being shut down.
    My estimates for two days (February 8-10) of a physical stores not accepting credit and debit cards would be somewhere around C$3M in lost revenue.

  3. The Chapters/Indigo website is still down, and I still have not been charged for the book, which I bought more than 3 weeks ago.
    So, I will keep speculating…

    Possible reasons why it takes so long for Indigo to restore their website:

    • They can’t find where the breach started from, thus taking website back online will result it to be hacked again;
    • Indigo found the problem but can’t fix it so far because it involves some third-party software, so they are waiting for the fix and/or looking for alternatives;
    • Indigo can’t (don’t know how to) completely clean the website, but this can only happen when you don’t have an adequate backup system. You basically make a copy of the hacked website to investigate further, restore it from backup, fix the problem, and go back online.
    • Their logistics/orders system is so messed up, it takes too long to restore it.

    Even though Indigo says that customer credit and debit card information is safe, because they don’t store it in their system, some information still could be stolen, if malicious code was inserted into Indigo‘s Checkout process.
    Plus, the hack might have happened a long time ago, not last week, considering that problems started before that.

  4. Indigo finally updated its website, and now users can at least browse products, but it is not possible to login to your account or buy anything.
    I’ve found out that the Indigo website is actually using Shopify, so I tried several stupid tricks, and some of them actually worked.
    I created and logged in to a test account:

    I even received a confirmation email about that:

    I found that there has been a Boycott Chapters campaign going on since at least 2007, don’t know if that is the reason of a hack.
    But boycottchapters.com domain is registered and owned by Indigo. 🙂

    There are actually lots of funny domains registered and owned by Indigo, and right now they all redirect to the Indigo website:

  5. Hm.
    The confirmation email from Indigo is interesting.

    First, the phone number is 5I42O62954.
    If I google it, I get some chalet rentals in Quebec:
    https://sortirauquebec.com/en/listing/cottage-apartment-tourist-home/chalet-kiwis-cottage/
    Which has an email address ianrichards2000[at]gmail[dot]com.
    Ian Richards seems to be a real person working at Indigo:
    https://ca.linkedin.com/in/ian-richards-91a7744a
    Don’t know what his personal phone number is doing in this email.

    And then cmacleod[at]indigo[dot]ca is probably Conner MacLeod:
    https://ca.linkedin.com/in/connermacleod

  6. Indigo‘s website is now fully operational; it took them one month.
    I would estimate a total loss of C$15-C$25M because of this incident.

    I have logged in to my account and checked my last order.

    It has an “Awaiting Shipment” status, even though I cancelled it on January 27 or 28 and picked up my book on January 31.
    I assume the hack has happened somewhere between these dates; that’s why the website was rolled back (in the end, they had a proper backup 🙂 ) to this state in time.
    My credit card has never been charged.

Leave a Reply

DISCLAIMER: The content in this blog represents the opinion of the author. No information here should be used for any purpose except for entertainment.