Indigo won't pay ransom for stolen employee data

Canada's largest bookstore chain says it won't pay ransom to the online group claiming responsibility for the cyberattack that stole at least some personal data of current and former employees of Indigo Books & Music, and which likely caused the recent downing of its website. 

A recent post on the dark web claiming to be from people affiliated with the ransomware group LockBit says the data will be released Thursday at 3:39 p.m. ET.

In a statement to CBC News, the company said while it has been informed that "some or all of the data" could become available, it does not believe it's appropriate to pay the ransom because it cannot guarantee the money would not "end up in the hands of terrorists."

Some former Indigo workers said they are worried about what could happen if information such as their emails, home addresses and social insurance numbers are made public.

"I went from confused, angry, sad, anxiety to the 10th degree, back to angry. Just a swarm of emotions just all at once," said Sean, who worked at an Indigo-owned store in Quebec from 2015 to 2020. 

I'm trying to do as much as I can to protect myself.… But you have to wonder how much of this can you control?- Sean, former Indigo employee with compromised personal information

He was advised, via email, his information may be included in the stolen employee data. CBC News is not using his full name to avoid further compromising his identity.

"I'm trying to do as much as I can to protect myself. Cancelling credit cards, changing any possible password," he said. 

"But you have to wonder how much of this can you control?"

In late February, current and some former Indigo workers were offered two years of identity theft monitoring. 

The company did not indicate whether this offer would change because of the threatened release of the data, but said in its statement that its "priority remains the safety and security of our current and former employees."

Indigo's reactions have not been enough for victims such as Sean, who says he's begun checking his credit report daily out of concern. 

"I do wish Indigo would do a little bit more, because a two-year subscription to monitoring, I just don't feel like it's enough considering the weight of the situation," he told CBC News in an interview on Wednesday. 

Identity of group behind attack unknown

In an email to employees provided to CBC News, Indigo president Andrea Limbardi wrote that "privacy commissioners do not believe that paying a ransom protects those whose data has been stolen."

CBC News has reached out to the Privacy Commissioner of Canada to confirm its stance on these matters, but in a previous statement the Commissioner's office said it was aware of the privacy breach at Indigo and remains in contact with the company. 

Indigo added that it does not know the identity of the group behind the attack. LockBit has been involved in previous cyberattacks, including one that targeted Toronto's Hospital for Sick Children.

Indigo has been unclear about whether this specific attack directly took down its website, but has said when the ransomware hit, the company chose to "shut down" systems.  At the time, the chain's brick-and-mortar stores were also unable to process credit, debit or gift card transactions. Hours later, the company posted online that it "experienced a cybersecurity incident." 

Physical stores were back up after the following weekend. The website was back to taking some purchases last week.