Share this article on:
Canadian bookstore chain Indigo was affected by a ransomware attack earlier in the month that forced it to take many of its retail systems offline. The company, which has stores all over Canada and employs 8,000 people, was adamant at the time that no customer data was compromised.
The 8,000 employees, however? Not so lucky, as it turns out.
“There is no reason to believe customer data has been improperly accessed,” Indigo said in a FAQ on its site, “but we now know that some employee data was”.
The FAQ on the company’s website goes into a lot of detail about how little the attack has affected customers but is very light on detail when it comes to just what employee data has been accessed.
Similarly, a recent tweet from Indigo focuses on the customer side of things without addressing the impact on its own staff.
“The security and integrity of your data is our top priority,” the post read, before going on to describe how in-store payment methods are being restored.
Indigo has, however, been contacting its current and former employees and is offering free identity protection.
“To provide additional assurance and protection to all employees, we have retained the assistance of TransUnion of Canada, Inc., one of Canada’s leading consumer reporting agencies, to offer two years of myTrueIdentity credit monitoring and identity theft protection services at no cost,” Indigo said on its site.
However, some former employees have taken to Twitter to voice their concerns, according to The Record. Some no longer have the same email addresses as they did when employed by Indigo, and others – who have only learnt of the incident via posts on Twitter, have had to contact TransUnion directly to see if their data is at risk.
“I did find a hotline for TransUnion (through Reddit) – they confirmed I’m on the list of those compromised. Talk about poor communication,” said one former employee.
The ransomware group LockBit (LockBit is also the name of the ransomware software in question) has taken responsibility for the attack and has given Indigo until today (2 March) to pay, or it will publish all the data it has.
LockBit is a Russia-based actor that has been in operation since at least 2019. It is responsible for a number of high-profile attacks in the last six months, including on the UK’s Royal Mail service, an Irish financial services company, and the Italian tax office.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.