Indigo launched a temporary browse-only website nearly 10 days after the cybersecurity incident

Indigo Books & Music Inc. has created a temporary website for its customers to browse for books and gifts after a cyberattack halted the company’s online operations last week.

In a notice posted to the new site Friday titled “shop in store, window-shop online,” the Toronto-based retailer said the temporary website only allows for browsing and it is still not possible to make Indigo purchases online.

The company offered no timeline for when its website or app, which is also unavailable, might return.

“We are working hard to provide the seamless online shopping experience that our customers have come to expect,” the note read.

“Please check back daily for updates and progress.”

CBC News has reached out to Indigo for more information.

Still no explanation for ‘cybersecurity incident’

The temporary website was launched more than a week after Indigo first notified customers of a “cybersecurity incident” that left it unable to process electronic payments, including through its website.

A screenshot of a website's homepage, which backs up users to "shop in store" and "window-shop online."
A screencap shows the homepage of Indigo’s temporary website on Friday. (CBC)

When the incident began Feb. 8, Indigo was only able to process purchases made in-store with cash, but some of its services, including credit and debit payments and some return capabilities, have since been restored.

The company has said it immediately engaged third-party experts to investigate and resolve the matter, but has still not explained the nature of the incident or what caused it.

“Our investigation is under way but not yet complete,” it added Friday.

It’s not uncommon for systems to take several weeks to recover from a ransomware attack, said Chester Wisniewski, a cybersecurity expert and field CTO for applied research at security firm Sophos.

While the company hasn’t confirmed that a ransomware attack was responsible for the outage, several experts have told CBC News that it has the characteristics of one.

“But the communication to the public about what has happened and whether their information may be at risk is very poor, and generally doesn’t reflect well on brands when they’re not forthcoming about what’s going on,” Wisniewski added.

The incident has placed many of Indigo’s sales in jeopardy as customers had to purchase items in brick-and-mortar stores and were only able to make purchases in cash for much of the outage. Even though debit and credit cards are now accepted at stores, the overall impact on Indigo’s sales will be felt more deeply the longer the other problems persist.

“I suspect it’s taking a long time for them to recover their systems,” said Wisniewski. “But I also suspect they’re probably improving the security as they go, and in order to improve that security, they’re maybe taking it slowly.”

Its investigation has so far not found any instances of customer credit or debit cards being compromised, but it has not completely ruled out such a breach.

“If at any point in the future we determine that personal data has been compromised, we commit to contacting those impacted directly,” Indigo wrote in its Friday note.

The company has also assured customers that points distributed through its Plum loyalty program have not been impacted, but redemptions, sign-ups, or renewals are not currently possible.

However, customers can still receive Plum discounts for purchases made in-store while the incident is ongoing. Points will be issued at a future date as long as shoppers retain their receipts.

WATCH | After Indigo cyberattack, experts say it’s time to beef up security:

Indigo website down for nearly a week due to cyberattack

The website for Indigo, Canada’s largest bookstore chain, has been down for almost a week due to a cybersecurity incident. Cyberattacks on businesses are becoming more common, and experts say they should beef up their security systems to avoid being targeted.

Plum points typically expire when a customer doesn’t make a qualifying purchase within 12 months. Shoppers with points set to expire in February, will see their expiration date extended to March 31, Indigo said.

The company has also extended the 30-day exchange or return timeline for purchases that had to be brought back between Feb. 8 and 15. Customers with such items will now have until Feb. 21 to make returns.

The retailer remains unable to cancel orders placed before the incident, but said once the issue is resolved, it will provide refunds. It is also unable to offer order status updates or estimated delivery timelines for people awaiting shipments from Indigo.