Indigo - The Cybersecurity Incident

Indigo Books & Music Inc., known as "Indigo" is Canada's biggest bookstore. Indigo experienced a ransomware attack in early February 2023 that disrupted internal operations, caused service disruptions to both their retail and online sales channels and negatively impacted sales and profitability. Their e- commerce channels were temporarily shut down and their website was not fully operational again until four weeks after the attack. Immediately following the incident, Indigo was only able to process purchases made in store with cash. Some of its services, including over-the-counter credit and debit payments as well as exchanges and returns were restored quickly, but two weeks after the attack customers remained unable to make purchases online except for "select books".

At the time of the attack, Indigo Books & Music Inc. had recently promoted a new chief executive. A major upgrade of the company's decades-old website was just wrapping up, with investment in enabling infrastructure that would support a modernized e-commerce technology using cloud computing. Online sales at the end of 2022 had grown by 63% over the comparable pre-pandemic quarter, with record breaking sales on Black Friday. The retailer was implementing grand plans to expand its offerings, looking beyond books, and launching into various markets worldwide. On the morning of the attack the hackers made themselves known to Indigo for the first time. An emergency response team of staffers speedily shifted into overdrive as they tried to contain the complex threat with the help of third-party experts. But the cybercriminals were well-resourced, Indigo spokesperson Melissa Perri recalls, and by the time they asked for a ransom that day the attackers had already deployed the notorious malware dubbed LockBit to illegally access the company's multilayered network. Indigo reacted swiftly by shutting down its operations. Later that evening the company acknowledged publicly that it was experiencing a "cybersecurity incident," not revealing much else out of caution.

Over the next few months, the attack wreaked havoc on Indigo. It crashed e-commerce services, continued to affect customers' ability to pay for or find merchandise in stores, and made shipment impossible. The company turned to Shopify, who built them a new website in three days, to get the bookstore back online. While the company's investigation found no evidence that customer data such as credit card numbers or passwords were accessed by hackers, personal and financial information about Indigo employees was leaked to the dark web where itwas sold for the cryptocurrency equivalent of $50 to $300. Many employees at the company had sleepless nights. Some thought frequently about quitting; others did. Indigo offered current and former employees two years of identity theft monitoring but employees remained fearful about their personal data being compromised. One former employee said "I do wish Indigo would do a little bit more, because a two-year subscription to monitoring, I just don't feel like it's enough considering the weight of the situation." Months after the attack, the Federal Bureau of Investigation in the United States, the Royal Canadian Mounted Police and even Indigoofficials still didn't know who exactly the hackers were. The full extent of the breach's impact also remained uncertain. Indigo reported $5.2 million in expenses related to the incident in the two months following the attack, but the damage to the business was much broaderas sales sank andlosses swelled.

This attack, however, is far from unique. Authorities have warned about the threat of such digital onslaughts for years. But hacking is a bigger problem now than ever before. Over the past year, many high-profile organizations in Canada have been hit, including the Hospital for Sick Children in Toronto, the Prime Minister's Office, grocery giant Empire Co. Ltd., which operates Sobeys, Safeway, IGA and FreshCo locations from coast to coast, the Liquor Control Board of Ontario, the Toronto Public Library and others. Like many of these organizations, Indigo decidednot to pay a ransom to their hackers, noting that paying ransommay not even protect those whose data has been stolen,as there is no way to guarantee the data will be deletedonce the ransom is paid.

In August 2023 on its quarterly call with analysts and investors, Indigo CEO Peter Ruis reported that the company continued to weather carryover impacts of the ransomware attack, noting that search engine optimization was heavily impactedleading to a weakeronline presence and lower online traffic. Online revenue in the quarter was 26% lower than the sameperiod in 2022. The companys reimagined website was up and running, with the company anticipating it would offer a much-improved online shopping experience. The companys FAQ lists many features that were changed on the modernized website, which is powered by Salesforce. In its November 2023 quarterly report however, Indigo reported temporary disruptions from the website launch. While the new web platform provided improved functionality and agility, and an overall superior customer experience, online revenue was impacted during the launch period. Indigo reported that by the end of the quarter most critical disruptions had been resolved, leading to improvements in online conversion.

Strolling between rows of books and a seemingly endless array of other wares at Indigo Books and Music Inc.s newest store in Torontos The Well buildingin October 2023, company founder Heather Reisman is in her element. She admires art from local customers that hangs atop the store's stationary section, toggles a jukebox to play Bette Midler's 1990 hit "From a Distance," and fantasizes about dedicating space in the kids' section for arts and crafts. Reisman served as chief executive of Indigo until August 2022, when Peter Ruis, a retail executive with experience at John Lewis,Anthropologie, and Jigsaw, took over. Reisman left the businesss board in August this year, calling the move to retire "one of the toughest decisions a founder must make." Before her retirement, four of Indigo's 10 directors had left the board, with Dr. Chika Stacy Oriuwa attributing her resignation to a "loss of confidence in board leadership" and "mistreatment." Indigo never elaborated on Oriuwas allegations.

Ruis was brought in to bring back stability to Indigos leadership, but resigned after a year on the job, offering no reason to the public for his departure. Andrea Limbardi, Indigo's president and a 21-year employee of the company, also announced in a LinkedIn post around the same time she was leaving to take the helm of apparel business Reitmans Canada Ltd. Few were surprised when Reisman was promptly named Ruiss replacement, but just over a month into her latest tenure, Reisman doesn't want to talk about the transition or what came before it. Asked about what changes she may have made internally and Oriuwa's "mistreatment" allegation, she refrained from answering. She also avoided questions abouthow her predecessor's visionfor the Well store may have differed from her own.

In August, Ruis had told The Canadian Press the new store concept, the Well (in a new mixed-use community at Front and Spadina streets in Toronto), would allow shoppers to snack on pastries, coffee, beer, and wine served from a blue Citron truck from the 1950s by the shops entrance and browse nooks dedicated to home fragrances, plants and popular Japanese graphic novels known as Manga. Also on hand would be a listening booth and jukebox, 1980s pinball and Pac-Man machines. While Reisman retained many of the elements Ruis had planned including the jukebox, the plants, pinball and Pac-Man machines are nowhere to be found a day before opening. An art installation by Canadian artist Kent Monkman is coming soon. "I've never built a store that at the end, we didn't come in and say, 'Oh, we missed it on this, or we missed it on that,'" Reisman said. "It is a process." One glance at the store shows books are meant to reign supreme. They're front and centre when customers enter the door and still dear to Reisman's heart, no matter how much her company has expanded. She said she has all 10,000 books she ever owned, including stacks she amassed through the Book of the Month Club she saved up her allowance to buy as a kid.

Reisman recently told investors that she is happy to be back at Indigo as CEO and Chief Book Lover. On the November 2023 quarterly call she said "We have a journey ahead of us. However, Im confident that we will return Indigo to both growth and profitability. Since my return just over seven weeks ago, we have framed an Indigo 4.0 transformation plan with both short- and long-term initiatives, and all focused on making Indigo the best it has ever been. As is always the case, it will take a bit of time beforewe begin seeing in the numbers what we want to see, but we are definitely headed in the right direction. As we look ahead to the second half of this fiscal year and beyond, we will be fully focused on our Indigo 4.0 transformation plan, with priority number one being to fully re-energize our connection to our customers who have long called Indigotheir happy place."

1. Discuss at least five ways that the ransomware attack harmed Indigo. Identify and discuss at least three reasons that Indigo may have been particularly vulnerable to a cyberattack.
2. What approaches can Indigo use in the future to assess risk and improve decisions around cybersecurity investment (provide at least 4 approaches and provide details on what they would constitute)? Describe at least 5 controls (general or application) that Indigo can implement or strengthen to reduce risk and mitigate the possibility that cybersecurity breaches could happen again in the future.
3. Drawing on your knowledge of e-commerce features and benefits, and using the Indigo cyberattack to inform your answer, explain the harms for businesses when their e-commerce channel is not availableto customers. Provideat least 4 examples.
4. Which of the four basic competitive strategies outlined in Chapter 3 of the textbook do you think best describes Indigos approach? Explain your reasoning and provide three examples of how Indigo uses or can use information systems and technologies to support that strategy. How effective is Indigo inusing information systemsand technologies to gain or maintain competitive advantage?