Indigo Books & Music continues to calculate the extensive expenses resulting from a ransomware attack that temporarily crippled its e-commerce platform, disrupted payment processing in retail stores for three days, and caused its website to go offline for approximately a month earlier this year.

During its most recent quarter, the retailer incurred a loss of $42.5 million, $19 million more than the same period last year. Indigo stated that although an exact figure is unavailable, the majority of this increased loss was attributed to the cyberattack.

Indigo made the decision not to pay a ransom to the perpetrators, who utilized LockBit, a type of software, to unlawfully gain access to its network. The company expressed concerns that paying the ransom could potentially fund terrorists or individuals on sanctions lists.

However, a recent report from Blakes, a law firm, reveals that most Canadian companies affected by ransomware attacks do comply with ransom demands, which have become considerably more costly for businesses compared to previous years.

Ransomware attacks occur when hackers use malware to infiltrate a company's IT systems, encrypt or steal information, and then demand payment in exchange for its return.

“The threat actors — the bad guys — are getting to be quite sophisticated in their attacks,” said Sunny Handa, a partner at Blakes who leads the firm’s technology practice.

“They are taking a lot of data, they are targeting sensitive data and they are publishing that data … they’re (also) hunting down the backups and they’re destroying backup systems.”

According to Handa, a breach counsel advising clients on cyberattacks, once a business's networks are encrypted by hackers, the company's operations are effectively paralyzed. This factor, along with the emergence of an industry centered around cyberattacks, contributes to the willingness of victims to pay ransoms to avoid extended disruptions to their operations.

Handa states that the value of ransom demands continues to rise as hackers invest more in their techniques and recognize the existence of a market where victims are willing to pay higher sums.

Blakes compiled its report based on publicly traded companies listed on the Toronto Stock Exchange that disclosed cyberattacks, as well as information from its own clients. The report covers breaches that occurred from September 1, 2021, to December 31, 2022.

Handa clarifies that the report does not encompass every data breach in Canada but aims to provide insights into trends within the industry. Although the exact number of incidents each year is unclear due to many companies not disclosing cyberattacks, Handa estimates the figure to be in the thousands.

Apart from ransom payments, companies face various financial consequences when dealing with data breaches. Handa highlights the "hard costs" associated with hiring professionals such as himself, forensic teams, and communication experts. Additionally, there are the "opportunity costs" stemming from lost business and the potential damage to a company's public image.

In its recent disclosure, Indigo revealed that it spent $5.2 million to address the ransomware attack, which included legal and professional fees, data remediation costs, hardware and software restoration, and losses related to inventory. Furthermore, the attack impeded sales processing and caused significant operational disruptions for the company.

Indigo has cyber insurance coverage and is currently working with its insurer to file claims, but it anticipates a delay between incurring costs and receiving insurance compensation.

Last week, Calgary-based Suncor experienced a cyberattack that is expected to result in substantial financial losses for the company.

Canada's Communications Security Establishment, the electronic spy agency, stated in its annual report last week that it successfully blocked 2.3 trillion "malicious actions" targeting the federal government throughout the previous fiscal year.