2 min read

Indigo Books & Music refuses to pay ransom after hackers stole employee information


March 02, 2023

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Indigo Books & Music refuses to pay ransom after hackers stole employee information

Three weeks ago, Canadian bookstore chain Indigo announced that it had suffered a "cybersecurity incident" that left its website and app offline, the company unable to accept electronic payments, and caused orders to be delayed.

With help from Shopify, a brand new temporary website was brought online within days and was able to fulfil orders for hungry bookworms.

But it's not all good news.

In an update posted on its new website, Indigo has not only confirmed that the security incident it experienced was a ransomware attack, but also that data related to current and former employees was stolen by hackers.

Frustratingly, Indigo's FAQ does not share any details of the precise nature of the employee data which was stolen.

The notorious LockBit ransomware gang is threatening to release the exfiltrated data as early as today on the dark web unless its ransom demands are not met.  Indigo, however, has said that it is not prepared to cave in to the extortionists' demands as there is no guarantee that any money paid won't "end up in the hands of terrorists."

It appears that Indigo believes there is no guarantee that paying its blackmailers will result in the sensitive information not being shared more widely.  It also appears that, for now at least, Indigo is in agreement with many law enforcement agencies who argue that paying a ransom only encourages others to launch attacks in the future.

According to Indigo, it is prioritising the "safety and security" of its employees past and present, which includes workers at its Chapters and Coles stores, and has offered two years free credit monitoring and identity theft protection to all employees.

Former employees for whom Indigo has contact details will be notified of the risk via email or post.  Of course, this is bad news for anyone who used to work for Indigo who has since moved house, or changed their email address.

The company says that it has not found any evidence that customer information may have been accessed by the hackers.

Canadian police and the FBI are said to be working closely with Indigo as the attack is investigated.




Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like