Cyber Incident Victim: IndiGo
Date:
Feb 2023
Location:
Canada
Summary
A major Canadian book and merchandise retailer experienced a cybersecurity incident that forced its systems offline, disrupting website operations and electronic payment processing across all physical locations. The company engaged third-party experts to investigate the breach while temporarily limiting in-store transactions to cash only, with gift cards and returns suspended during the outage. Customer data compromise remained under assessment as the organization worked to restore services. The incident impacted the national chain operating nearly 170 stores under multiple banners and employing thousands nationwide.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 8, 2023, Indigo Books & Music Inc., Canada’s largest bookstore chain, publicly disclosed a cybersecurity incident that disrupted its operations. The company issued a website notice confirming the event had occurred earlier that day, stating it had engaged third-party experts to investigate and resolve the situation. Immediate operational impacts included the unavailability of Indigo’s website and the suspension of all electronic payment processing across its retail locations. Stores remained open but could only accept cash transactions, with gift card redemptions and product returns temporarily halted. Through its Twitter account, Indigo acknowledged it was actively working to determine whether customer data had been compromised during the incident, though no confirmation of data exposure was provided at the time of initial reporting. The cyber incident occurred during regular business hours, forcing the company to implement manual transaction processes at its 89 superstores and over 80 smaller format locations nationwide.
Indigo, a publicly traded retailer with approximately 8,000 employees, faced significant operational disruption given its reliance on digital systems for both e-commerce and in-store sales. The company’s merchandise sales had recently reached record second-quarter levels at $236.2 million for the period ending October 2, 2022, underscoring the potential financial implications of prolonged system outages. At market close on February 8, Indigo’s stock traded at $2.35 per share, though the direct correlation between this valuation and the cyber incident remains unspecified in available reports. The retailer’s diverse operations encompass book sales alongside household goods across banners including Chapters, Coles, Indigospirit, SmithBooks, and The Book Company, all affected by the payment processing limitations. No technical details regarding the attack vector, threat actor identity, or system restoration timeline were disclosed in initial communications. The company maintained focus on investigation efforts and restoring critical functions while continuing physical store operations under constrained transactional capabilities.