Indigo refuses to pay ransom, warns stolen employee data may be posted to dark web

By Jason Contant | March 2, 2023 | Last updated on October 30, 2024
2 min read
Indigo refuses to pay ransom following cyberattack
An Indigo bookstore is seen Wednesday, November 4, 2020 in Laval, Que. Canada’s biggest bookstore chain says the data of current and former employees was stolen in a ransomware attack. THE CANADIAN PRESS/Ryan Remiorz

Canada’s biggest bookstore chain has warned employees that data stolen in a cyberattack may be posted on the so-called dark web after it refused to pay a ransom demand, Indigo Books & Music Inc. said Thursday.

The retailer’s network was hijacked by cyber criminals using a ransomware software known as “LockBit” last month, knocking its website and digital payment system offline.

Indigo said it has decided not to pay the ransom as it “cannot be assured that any ransom payment would not end up in the hands of terrorists or others on sanctions lists.”

“Although we do not know the identity of the criminals, some criminal groups using LockBit are affiliated with Russian organized crime,” the company said.

Paying the ransom may not even protect those whose data has been stolen, as there is no way to guarantee the data would be deleted once the ransom is paid, the company said.

While the company’s investigation found no evidence that customer data such as credit card numbers or passwords were accessed, Indigo said the data of some current and former employees was compromised in the attack.

The Toronto-based retailer said it’s providing two years of identity theft monitoring to current and former employees affected by the security breach.

Cyberscout, a TransUnion company, will contact current and former employees directly to notify them of the cybersecurity incident, the company said.

Meanwhile, Indigo’s new website is online, though customers remain unable to make purchases except for “select books.”

Harley Finkelstein, president of tech giant Shopify Inc., said in a social media post that Indigo turned to the tech company to help get the bookstore back online.

“They came to us, and in three days, we were able to build them a new site and get them back online and selling,” he said on Twitter.

Indigo stores – which for several days were limited to cash-only transactions – have fully reopened and can once again accept credit and debit payments.

 

Feature image: An Indigo bookstore is seen Wednesday, November 4, 2020 in Laval, Que. Canada’s biggest bookstore chain says the data of current and former employees was stolen in a ransomware attack. THE CANADIAN PRESS/Ryan Remiorz

Jason Contant