Canadian book giant says employee data was stolen during ransomware attack
Canadian bookseller Indigo denied that any customer data was stolen last month during a ransomware attack that took down its website. Data from the multibillion-dollar company's workers, however, didn't fare as well.
In an undated followup FAQ, Indigo now says employee data was involved in the attack. The Toronto-based company did not respond to requests for comment about how many people were affected. It has more than 8,000 current employees at more than 160 stores across Canada.
Indigo said current and former employees would be contacted through email about the incident by identity theft management company Cyberscout. Those without email addresses on file will be sent letters in the mail.
“Through our investigation we learned there is no reason to believe customer data has been improperly accessed, but that some employee data was. We have notified and are cooperating with law enforcement,” the company said.
The FAQ does not specify what type of employee data the attackers accessed. The LockBit cybercrime gang claimed the attack on Tuesday evening.
Employees will be provided with two years of free myTrueIdentity credit monitoring and identity theft protection services.
Several current and former employees criticized a statement Indigo posted February 17 on Twitter. It makes no mention of the employee information accessed during the attack. Some said their personal email and address is no longer the same as when they worked at Indigo, meaning they did not get the breach notification letters.
Also a former employee. Also didn't hear anything from Indigo. Created this Twitter account specifically to try to get info from them. I did find a hotline for Transunion (through Reddit) - they confirmed I'm on the list of those compromised. Talk about poor communication.— FormerIndigoEmployee (@DoBetterIndigo) March 1, 2023
While the initial investigation indicated customer data was not compromised, Indigo noted that “if at any point in the future we determine that personal data has been compromised, we commit to contacting those impacted directly.”
Much of Indigo’s Twitter statement focused on the fact that the company is now able to resume all forms of payment and can facilitate exchanges or returns at stores. The attack initially had downed those systems.
“We are also working hard to return our seamless online experience to you,” the company said. “As part of this work, we are thrilled to share a new temporary online home for you to explore at indigo.ca. This browsable-only experience will include a selection of bestselling books and a curated edit of lifestyle products.”
The FAQ also explains that online ordering is still limited and the Indigo app is still unusable. Order status and delivery estimate systems are also still down. The company said it is also unable to cancel orders made before February 8.
LockBit has given Indigo until Thursday to pay a ransom before the information is leaked.
The group has quickly become the most prolific ransomware gang operating, launching hundreds of attacks last year on government agencies, companies and organizations around the world.
The group has caused particular outrage in recent weeks with attacks on a U.S. bus system, a Canadian children’s hospital, one of the biggest ports in Europe and a British postage and courier company.
Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.