Business

Ransomware group behind Indigo hack says it released stolen employee data, but nothing has appeared yet

A cyberattack group says it has released data from Canadian retailer Indigo after the company refused to pay a ransom, but that data did not actually appear on the LockBit 3.0 forums as promised after a deadline passed.

Personal information belonging to current and former Indigo employees was compromised

Pedestrians walk past an Indigo store in Toronto’s downtown Yorkville neighbourhood on March 1, 2023.
A ransomware attack has compromised staff data at Canada's largest book seller, but a public release of the information didn't happen as expected on Thursday. (Evan Mitsui/CBC)

A deadline for Indigo Books to pay a ransom or risk the public release of employee personal information has come and gone without the stolen data being made public, but a privacy advocate and cybersecurity analyst both say this doesn't mean there's any less risk for Canadians affected by the data breach.

On Wednesday night, Canada's largest bookstore chain said it would not agree to payment demands from an online group claiming affiliation with ransomware site LockBit, because it could not guarantee the money wouldn't "end up in the hands of terrorists."

The hacker group indicated it would be posting all the stolen information publicly and a countdown timer posted on multiple versions of the LockBit dark web forum said the data would be released on Thursday at 3:39 p.m. ET. 

A screenshot of a web page shows LockBit 3.0 logos, the Indigo Books logo, and "Files are Published" but there are no links to download files.
A 'dark web' page purporting to have published the Indigo ransomware data did not actually have any data published on it, as of Thursday afternoon. (Screenshot)

After the deadline passed on Thursday afternoon, the LockBit forums said the data had been released. However both CBC News and an independent security analyst could not find actual data available to access. CBC reached out to Indigo to confirm if it was aware if the data had been released or not, but did not hear back in time for publication.

Just because the information appears not to have been posted does not mean the data is safe or secure — and it definitely doesn't mean the data won't be released in the future, according to Chester Wisniewski, field chief technology officer at international cybersecurity firm Sophos.

"They are criminals, after all. They are not obligated to do anything that they say they're going to do," said Wisniewski, who is based in Vancouver. 

He noted that it must be assumed that the employee data is compromised even if it's not released publicly.

A man in a beige shirt, wearing a headset, in a living room, looks straight at the camera.
Cybersecurity expert Chester Wisniewski says it should just be assumed the employee data is compromised, regardless of whether it becomes publicly available or not. (Anis Heydari/CBC)

Multiple current and former Indigo workers have told CBC News they are worried about what happens if information such as their emails, home addresses, social insurance numbers and bank account details are made public. Indigo has previously told employees those are just some examples of some of the stolen data.

Indigo has offered some current and former employees a credit protection service for two years. 

Meghan, who worked at Indigo-owned stores until 2020, fears that if her identity is ever compromised due to this stolen data, she could face consequences forever. CBC has agreed not to reveal her last name due to privacy concerns.

"There's been no kind of assurance at all from Indigo to me or any of my former coworkers saying what their plans are," she said in an interview Thursday morning.

A white woman wearing glasses in a black sweater faces the camera.
Meghan used to work at Indigo and is worried this data breach will cause problems for her years in the future. (Anis Heydari/CBC)

The company said it "will continue to address any concerns that may arise" in a statement to CBC News on Wednesday.

But Meghan says the two-year plan to monitor her credit history isn't enough. 

"I can't flag it years later down the line if I want to buy a house. 'Oh, I was maybe [de]frauded years ago by a company I haven't worked at for ten years,' " she said. 

"It's definitely making me a little bit more scared, I guess, thinking about the future, because this is something that will follow me potentially for the rest of my life."

Companies must 'inventory' information: privacy expert

Part of why Canadians may face identity theft due to cyberattacks is because corporate entities such as Indigo keep too much information and for too long, according to Privacy and Access Council of Canada president Sharon Polsky.

"We have to look to our employers and ask why, why are you keeping this information?" she said, noting that domestic law may not be sufficient to protect Canadian data because many companies store their information on international servers, while cyber-crime organizations often operate outside of court jurisdictions. 

"We can't look to the legislation that is, at best, 20 years old and was developed before all of these technologies were even contemplated," said Polsky.

For now, she says Canadians can try to protect themselves from identity theft by keeping track of their personal data and demanding better management from corporate entities such as employers. 

Sharon Polsky, a woman in a red sweater with a black jacket, stands in a parking lot in front of an Indigo retail store in Calgary.
Sharon Polsky, president of the Privacy and Access Council of Canada, says companies should not be retaining personal information without a specific reason, and should only keep that information for defined periods of time. (Anis Heydari/CBC)

"One of the things people might want to do is put in a formal access to information request to their former employer and to the companies and governments they deal with to find out what information is held about them and who it has been shared with," she said. 

"We have to all have an inventory of the information that we've given out," explained Polsky, who referenced data points such as birth dates, social insurance numbers, driver's licence numbers and home addresses.

Indigo website remains partly down

Indigo has previously said it didn't know the identity of the group behind the attack that stole the information. LockBit has been used in previous cyberattacks, including one that targeted Toronto's Hospital for Sick Children.

When Indigo was hit by the cyberattack on Feb. 8, its website went offline entirely and the chain's brick-and-mortar stores were also unable to process credit, debit or gift card transactions. Physical stores were back up after the following weekend. 

The website was back to taking some purchases last week but is still not offering as many products for sale as before the ransomware attack. 

ABOUT THE AUTHOR

Anis Heydari

Senior Reporter

Anis Heydari is a senior business reporter at CBC News. Prior to that, he was on the founding team of CBC Radio's "The Cost of Living" and has also reported for NPR's "The Indicator from Planet Money." He's lived and worked in Edmonton, Edinburgh, southwestern Ontario and Toronto, and is currently based in Calgary. Email him at anis@cbc.ca.

With files from CBC's Meegan Read