Skip to content

Indigo refuses to pay ransom, warns stolen employee data may be posted to dark web

An Indigo bookstore is seen Wednesday, November 4, 2020 in Laval, Que. Indigo Books & Music Inc. is refusing to pay a ransom after current and former employees' data was hijacked in a cyberattack last month. THE CANADIAN PRESS/Ryan Remiorz

Canada's biggest bookstore chain is warning employees that data stolen in a cyberattack may be posted on the so-called dark web after it refused to pay a ransom demand.

Indigo Books & Music Inc. said Thursday that its network was hijacked by cyber criminals using a ransomware software known as LockBit last month, knocking its website and digital payment system offline.

The Toronto-based retailer said it decided not to pay the ransom as it "cannot be assured that any ransom payment would not end up in the hands of terrorists or others on sanctions lists."

"Although we do not know the identity of the criminals, some criminal groups using LockBit are affiliated with Russian organized crime," the company said.  

Paying the ransom may not even protect those whose data has been stolen, as there is no way to guarantee the data would be deleted once the ransom is paid, the company said. 

While the company's investigation found no evidence that customer data such as credit card numbers or passwords were accessed, Indigo said the data of some current and former employees was compromised in the attack.

The retailer said it's providing two years of identity theft monitoring to current and former employees affected by the security breach.

Cyberscout, a TransUnion company, will contact current and former employees directly to notify them of the cybersecurity incident, the company said. 

One former Indigo employee said Thursday that she hadn't yet heard whether she was affected by the breach. 

The former worker, who asked that her name not be used for fear it could make her a target of the hackers, said the idea of her personal information being on the dark web is "frightening."

She said she is very worried about the situation, adding that there are potentially thousands of former employees that share her concerns. 

Meanwhile, Indigo's new website is online, though customers remain unable to make purchases except for "select books."

The company is not yet able to accept mail-in returns, Indigo said. 

Harley Finkelstein, president of tech giant Shopify Inc., said in a social media post that Indigo turned to the tech company to help get the bookstore back online. 

"They came to us, and in three days, we were able to build them a new site and get them back online and selling," he said on Twitter.

Indigo stores — which for several days were limited to cash-only transactions — have fully reopened and can once again accept credit and debit payments. 

Indigo said it's continuing to work with Canadian police services and the FBI in the United States in response to the attack.

The company also said it's continuing to work with third-party experts to strengthen its cybersecurity practices and enhance data security measures.

This report by The Canadian Press was first published March 2, 2023.

Companies in this story: (TSX:IDG)

Brett Bundale, The Canadian Press

Looking for National Business News? viewed on a mobile phone

Check out Village Report - the news that matters most to Canada, updated throughout the day.  Or, subscribe to Village Report's free daily newsletter: a compilation of the news you need to know, sent to your inbox at 6AM.